Summary and Objective

Summary:

Covers various Nmap techniques for host discovery beyond simple pings (-sn, -PE, -PP, -PM, -PS[ports], -PA[ports], -PU[ports], -PR).
Discusses target specification (CIDR, ranges, lists), excluding targets (--exclude), and inputting targets from a file (-iL).
Introduces basic timing templates (-T0 through -T5) and their implications.

Objective:

To equip students with a solid understanding of Nmap's host discovery mechanisms, enabling them to accurately identify live systems on a target network, select appropriate discovery techniques based on network conditions, and correctly define scan scopes.

Notes

What is host discovery and why is it important?

Host discovery is the initial phase in any network reconnaissance or security audit. Before you can probe for open ports, identify services, or detect vulnerabilities, you must first determine which hosts are online and responsive on the target network. Attempting to scan IP addresses that aren't active is inefficient, wastes time, and can generate unnecessary network noise, potentially alerting network defenders prematurely. Effective host discovery narrows down the scope of your subsequent, more intensive scanning efforts, making the entire process more efficient and targeted. Think of it as creating a map of active settlements before exploring each one in detail.

Ethical considerations

It's ipmortant to emphasize that Nmap, while a powerful tool for network administrators and security professionals, must only be used on networks where you have explicit, written authorization. Unauthorized scanning can be perceived as an attack and may have legal consequences.

In this course, all Nmap activities will be conducted within isolated, virtual lab environments designed for safe practice. Understanding the "rules of engagement" is as critical as understanding Nmap's syntax. We are learning these techniques for defensive purposes and authorized security assessments.

Host discovery process

Nmap doesn't just rely on a single method to determine if a host is up.

By default, for a privileged user (like root or administrator), Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request to each target. If any of these probes elicit a response, Nmap considers the host to be online.

For unprivileged users who cannot send raw packets, Nmap resorts to a TCP three-way handshake by attempting to connect to common ports (like 80 and 443). If a connection is successfully established (even if it's immediately closed), the host is marked as up. This multi-probe approach increases the chances of finding live hosts, even if some probe types are blocked by firewalls.

Default nmap behavior

When you run Nmap with a target but without specifying any scan types (like -sS or -sT), and if you don't explicitly ask for host discovery only (like with -sn), Nmap will perform host discovery and then, for live hosts, proceed to a port scan of the 1000 most common TCP ports. If you only want to perform host discovery and not port scan, the -sn option is your primary tool.

For the purposes of this lecture, we will only be performing scans that perform host discovery -sn.

nmap -sn <target_IP_or_range>

Core nmap host discovery techniques

Here we cover the most common and effective nmap command-line options specifically for host discovery.

Ping (no port) scan

The -sn option (previously -sP in older Nmap versions, think "scan ping" or "skip port scan") tells Nmap to perform only host discovery and not to follow up with a port scan on live hosts.

This scan is extremely useful for quickly enumerating active machines on a network, perhaps as a first step in a network inventory or before launching a more detailed scan on a limited set of targets. It's generally faster than a full port scan because it doesn't try to determine the state of numerous ports on each host.

For privileged users, -sn uses the multi-probe approach mentioned earlier (ICMP echo, TCP SYN to 443, TCP ACK to 80, ICMP timestamp). For unprivileged users, it attempts TCP connections to ports 80 and 443.

# Example: Perform a ping scan against a single host
nmap -sn 192.168.1.1

# Example: Perform a ping scan against a subnet
nmap -sn 192.168.1.0/24

[Instructor: Run 'nmap -sn <your_lab_target_IP>' and show output]
Starting Nmap X.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZONE
Host 192.168.1.1 is up (0.0020s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Vendor)
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

The output will list hosts that are "up" and may sometimes show MAC addresses if on the same Ethernet segment (due to ARP).

Ping probe

When firewalls are permissive towards ICMP (Internet Control Message Protocol), these ping probes can be very effective. However, many networks block ICMP to thwart reconnaissance.

ICMP Echo Request (-PE): This is the standard "ping" packet. If a host responds with an ICMP echo reply, it's up.

sudo nmap -PE 192.168.1.100

ICMP Timestamp Request (-PP): Some systems might block echo requests but respond to timestamp requests. Nmap sends an ICMP timestamp request (type 13) and looks for a timestamp reply (type 14).

sudo nmap -PP 192.168.1.101

ICMP Address Mask Request (-PM): Another less common ICMP query that can sometimes elicit a response when others are blocked. This type of ICMP query was designed for a host to learn its subnet mask, but these types of queries are rarely used legitimately today.

sudo nmap -PM 192.168.1.102

If -PE, -PP, or -PM are used individually with -sn, Nmap will only use that specific ICMP probe type for discovery.

If used without -sn but with port scan types, they influence the initial discovery phase before port scanning.

TCP-based probes

These types of probes are useful for situations where ICMP packets are being blocked by a firewall.

TCP SYN Ping (-PS[portlist]): Nmap sends a TCP packet with the SYN flag set to specific ports. If a host responds with a SYN/ACK (indicating the port is open or listening) or an RST (reset, indicating the port is closed), Nmap knows the host is online.

By default, if no port list is given, it uses port 80. You can specify a list: -PS22,80,443.

# TCP SYN ping to default port 80
sudo nmap -PS 192.168.1.0/24

# TCP SYN ping to ports 22 (SSH) and 3389 (RDP)
sudo nmap -PS22,3389 192.168.1.50

This method often works because firewalls are typically configured to allow inbound traffic to common public services like web servers (port 80/443).

TCP ACK Ping (-PA[portlist]): Nmap sends a TCP packet with the ACK flag set. Most modern operating systems will respond with a TCP RST packet if they receive an unsolicited ACK packet, regardless of whether a port is open or closed, as long as the host is up. This can be useful for discovering hosts protected by stateful firewalls that might block SYN packets but allow ACK packets through (if they expect them to be part of an existing, albeit non-existent, connection).

By default, port 80 is used.

# TCP ACK ping to default port 80
sudo nmap -PA 192.168.1.0/24

# TCP ACK ping to port 21 (FTP)
sudo nmap -PA21 192.168.1.55

The key takeaway is that receiving an RST packet in response to an ACK probe indicates the host is alive. If there's no response, the host is either down or the firewall is dropping the probe.

UDP pings

This method sends a UDP packet to the specified ports (or port 40125 by default). If the target port is closed, the host should respond with an ICMP port unreachable error, indicating it's alive. If the port is open, Nmap might not get a response, or it might get a UDP response if it's a known service. The lack of response can make UDP scans less reliable for host discovery alone, but it's valuable when specifically targeting UDP services or when other probes fail.

# UDP ping to default port 40125
sudo nmap -PU 192.168.1.0/24

# UDP ping to common UDP ports 53 (DNS) and 161 (SNMP)
sudo nmap -PU53,161 192.168.1.60

ARP scans of the local network

When you are on the same Ethernet LAN (local area network) as your targets, an ARP scan is the fastest and most reliable way to discover hosts. Nmap sends ARP requests to all target IP addresses on the LAN, and hosts that are up will reply with their MAC addresses. Operating systems cannot typically disable ARP responses for hosts on the same link, making this very effective locally. Nmap automatically uses ARP scan for targets on the same subnet if run by a privileged user, unless explicitly told otherwise (e.g., with --send-ip).

# ARP scan on the local network (often automatically used if applicable)
sudo nmap -PR 192.168.1.0/24

[Instructor: Run 'sudo nmap -PR <your_local_lab_subnet_CIDR>' and show output]
Starting Nmap X.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZONE
Host 192.168.1.1 is up (0.00050s latency).
MAC Address: AA:BB:CC:DD:EE:FF (Realtek Semiconductor)
Host 192.168.1.10 is up (0.00080s latency).
MAC Address: 11:22:33:44:55:66 (VMware)
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.10 seconds

Note: -PR is implied when using -sn on a local Ethernet network as a privileged user.

Target Specification & Initial Sweep Strategies

Defining Scan Targets Accurately

Nmap offers flexible ways to define the scope of your scan, which is crucial for both efficiency and ensuring you are only scanning authorized targets.

Single IP Address or Hostname: The simplest form. Nmap will resolve hostnames via DNS if provided.

nmap 192.168.1.1
nmap scanme.nmap.org

CIDR Notation: Classless Inter-Domain Routing notation is a common way to specify network blocks, e.g., 192.168.1.0/24 represents all 256 IPs from 192.168.1.0 to 192.168.1.255.

nmap -sn 192.168.1.0/24
nmap -sn 10.0.0.0/8

Ranges and Lists: You can specify octet ranges or comma-separated lists.

nmap -sn 192.168.1.1-100        # Scans 192.168.1.1 through 192.168.1.100
nmap -sn 192.168.1.1,2,10,50    # Scans specific IPs
nmap -sn 192.168.1,2,3.1-254    # Scans .1 through .254 for 192.168.1.x, .2.x, and .3.x

Input from a File (-iL <filename>): For large numbers of targets or irregularly spaced targets, you can list them in a file (one target per line) and feed it to Nmap.

# targets.txt might contain:
# 192.168.1.5
# company-server.com
# 10.10.0.0/28
nmap -sn -iL targets.txt

Excluding Targets

Sometimes you need to scan a large range but explicitly exclude certain sensitive hosts or known friendly systems.

# Scan the /24 range but exclude .1 and .100
nmap -sn 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.100

# Exclude targets listed in a file
nmap -sn 192.168.1.0/24 --exclude-file dontscan.txt

This is crucial for avoiding accidental scans on critical infrastructure or out-of-scope systems during an engagement.

Choosing the Right Discovery Method & Basic Timing

The best discovery method depends on your network position and the target environment. On a local LAN, -PR (often automatic with -sn) is best. For external networks, -PS (e.g., -PS80,443,8080) or -PA might be more effective than ICMP-based probes if firewalls are restrictive. If you know nothing, Nmap's default multi-probe approach with -sn is a good start.

Nmap offers timing templates (-T<0-5>) that control aggressiveness:

-T0 (paranoid) and -T1 (sneaky): Very slow, used for IDS evasion (less relevant for basic host discovery usually).
-T2 (polite): Slows down to consume less bandwidth and target resources.
-T3 (normal): Default behavior.
-T4 (aggressive): Speeds up scans, assuming a reasonably fast and reliable network. Good for quick sweeps when stealth isn't a primary concern.
-T5 (insane): Very aggressive; may sacrifice accuracy for speed and can overwhelm networks or targets. For initial sweeps, -T4 is often a good balance if you are not worried about detection.

# Aggressive host discovery sweep of a subnet
nmap -sn -T4 192.168.1.0/24

-T4 can still be noisy, and should be used judiciously on production networks.

Interpreting Results & Next Steps

When Nmap reports "Host is up," it means one of its discovery probes received a positive response. If a host doesn't appear in the "up" list, it means Nmap received no replies from that IP address using the chosen discovery methods. This doesn't always mean the host is offline. It could be protected by a very restrictive firewall that drops all probe types, it might be configured not to respond, or there could be network issues. For example, a host might only respond to TCP SYN packets on an obscure port not probed by default.

Common issues and troubleshooting:

Firewalls: The most common reason for hosts not appearing. Stateful firewalls can block SYN packets to non-listening ports, and stateless firewalls or packet filters might block specific probe types like ICMP.

Host-based Protection: Personal firewalls on endpoints (like Windows Firewall or iptables on Linux) can also block probes.

Network Configuration: Incorrect network masks or routing issues can prevent probes from reaching the target or replies from returning.

Nmap Privileges: Remember that unprivileged users have limited discovery options (typically only TCP connect to ports 80/443). Running as a privileged user (e.g., sudo nmap ...) enables raw packet sending and more discovery techniques.

Next Steps: From Discovery to Deeper Scans

Once you have a list of live hosts, the next logical step in a network assessment is typically port scanning to identify which services are running on those active machines. The output from nmap -sn -oG - (grepable output to stdout) can be easily parsed to extract live IPs, which can then be fed into another Nmap command for port scanning. For example, students will learn to take their list of discovered hosts and then perform targeted port scans on them in the upcoming lectures. This phased approach is efficient and organized.

Lab

Lab Activities: Perform initial host discovery sweeps across segments of the Corporate Network (Scenario 1), the perimeter of the ICS network (Scenario 2), and the defined scope of the Web/Cloud Infrastructure (Scenario 3).

Nmap/Short Course/Lab 1

Flags

Nmap/Short Course/Lecture 1

From charlesreid1

Contents