Nmap/Short Course/Lecture 1

From charlesreid1

Main article: Nmap/2025 Short Course

Summary and Objective

Summary:

  • Covers various Nmap techniques for host discovery beyond simple pings (-sn, -PE, -PP, -PM, -PS[ports], -PA[ports], -PU[ports], -PR).
  • Discusses target specification (CIDR, ranges, lists), excluding targets (--exclude), and inputting targets from a file (-iL).
  • Introduces basic timing templates (-T0 through -T5) and their implications.

Objective:

  • To equip students with a solid understanding of Nmap's host discovery mechanisms, enabling them to accurately identify live systems on a target network, select appropriate discovery techniques based on network conditions, and correctly define scan scopes.

Notes

What is host discovery and why is it important?

Host discovery is the initial phase in any network reconnaissance or security audit. Before you can probe for open ports, identify services, or detect vulnerabilities, you must first determine which hosts are online and responsive on the target network. Attempting to scan IP addresses that aren't active is inefficient, wastes time, and can generate unnecessary network noise, potentially alerting network defenders prematurely. Effective host discovery narrows down the scope of your subsequent, more intensive scanning efforts, making the entire process more efficient and targeted. Think of it as creating a map of active settlements before exploring each one in detail.

Ethical considerations

It's ipmortant to emphasize that Nmap, while a powerful tool for network administrators and security professionals, must only be used on networks where you have explicit, written authorization. Unauthorized scanning can be perceived as an attack and may have legal consequences.

In this course, all Nmap activities will be conducted within isolated, virtual lab environments designed for safe practice. Understanding the "rules of engagement" is as critical as understanding Nmap's syntax. We are learning these techniques for defensive purposes and authorized security assessments.

Host discovery process

Nmap doesn't just rely on a single method to determine if a host is up.

By default, for a privileged user (like root or administrator), Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request to each target. If any of these probes elicit a response, Nmap considers the host to be online.

For unprivileged users who cannot send raw packets, Nmap resorts to a TCP three-way handshake by attempting to connect to common ports (like 80 and 443). If a connection is successfully established (even if it's immediately closed), the host is marked as up. This multi-probe approach increases the chances of finding live hosts, even if some probe types are blocked by firewalls.

Default nmap behavior

When you run Nmap with a target but without specifying any scan types (like -sS or -sT), and if you don't explicitly ask for host discovery only (like with -sn), Nmap will perform host discovery and then, for live hosts, proceed to a port scan of the 1000 most common TCP ports. If you only want to perform host discovery and not port scan, the -sn option is your primary tool.

For the purposes of this lecture, we will only be performing scans that perform host discovery -sn.

nmap -sn <target_IP_or_range>

Core nmap host discovery techniques

Here we cover the most common and effective nmap command-line options specifically for host discovery.

Ping (no port) scan

The -sn option (previously -sP in older Nmap versions, think "scan ping" or "skip port scan") tells Nmap to perform only host discovery and not to follow up with a port scan on live hosts.

This scan is extremely useful for quickly enumerating active machines on a network, perhaps as a first step in a network inventory or before launching a more detailed scan on a limited set of targets. It's generally faster than a full port scan because it doesn't try to determine the state of numerous ports on each host.

For privileged users, -sn uses the multi-probe approach mentioned earlier (ICMP echo, TCP SYN to 443, TCP ACK to 80, ICMP timestamp). For unprivileged users, it attempts TCP connections to ports 80 and 443. 

# Example: Perform a ping scan against a single host
nmap -sn 192.168.1.1

# Example: Perform a ping scan against a subnet
nmap -sn 192.168.1.0/24

[Instructor: Run 'nmap -sn <your_lab_target_IP>' and show output]
Starting Nmap X.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZONE
Host 192.168.1.1 is up (0.0020s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Vendor)
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

The output will list hosts that are "up" and may sometimes show MAC addresses if on the same Ethernet segment (due to ARP).

Ping probe

When firewalls are permissive towards ICMP (Internet Control Message Protocol), these ping probes can be very effective. However, many networks block ICMP to thwart reconnaissance.

ICMP Echo Request (-PE): This is the standard "ping" packet. If a host responds with an ICMP echo reply, it's up. 

sudo nmap -PE 192.168.1.100

ICMP Timestamp Request (-PP): Some systems might block echo requests but respond to timestamp requests. Nmap sends an ICMP timestamp request (type 13) and looks for a timestamp reply (type 14). 

sudo nmap -PP 192.168.1.101

ICMP Address Mask Request (-PM): Another less common ICMP query that can sometimes elicit a response when others are blocked. This type of ICMP query was designed for a host to learn its subnet mask, but these types of queries are rarely used legitimately today. 

sudo nmap -PM 192.168.1.102

If -PE, -PP, or -PM are used individually with -sn, Nmap will only use that specific ICMP probe type for discovery.

If used without -sn but with port scan types, they influence the initial discovery phase before port scanning.

TCP-based probes

These types of probes are useful for situations where ICMP packets are being blocked by a firewall.

TCP SYN Ping (-PS[portlist]): Nmap sends a TCP packet with the SYN flag set to specific ports. If a host responds with a SYN/ACK (indicating the port is open or listening) or an RST (reset, indicating the port is closed), Nmap knows the host is online.

By default, if no port list is given, it uses port 80. You can specify a list: -PS22,80,443. 

# TCP SYN ping to default port 80
sudo nmap -PS 192.168.1.0/24

# TCP SYN ping to ports 22 (SSH) and 3389 (RDP)
sudo nmap -PS22,3389 192.168.1.50

This method often works because firewalls are typically configured to allow inbound traffic to common public services like web servers (port 80/443).

TCP ACK Ping (-PA[portlist]): Nmap sends a TCP packet with the ACK flag set. Most modern operating systems will respond with a TCP RST packet if they receive an unsolicited ACK packet, regardless of whether a port is open or closed, as long as the host is up. This can be useful for discovering hosts protected by stateful firewalls that might block SYN packets but allow ACK packets through (if they expect them to be part of an existing, albeit non-existent, connection).

By default, port 80 is used. 

# TCP ACK ping to default port 80
sudo nmap -PA 192.168.1.0/24

# TCP ACK ping to port 21 (FTP)
sudo nmap -PA21 192.168.1.55

The key takeaway is that receiving an RST packet in response to an ACK probe indicates the host is alive. If there's no response, the host is either down or the firewall is dropping the probe.

UDP Pings

Retrieved from "https://charlesreid1.com/w/index.php?title=Nmap/Short_Course/Lecture_1&oldid=30209"