This tutorial will focus on a key Nmap usage, i.e., host discovery and host discovery methodology. It is good to note that this is not a beginner’s guide to working with Nmap or Information gathering methodology in Penetration testing.
What is Host Discovery
The Nmap host discovery process refers to network hosts’ enumeration to gather information about them to build an attack plan in pen-testing.
During host discovery, Nmap uses elements like Ping and a built-in script to lookup Operating Systems, ports, and running services using TCP and UDP protocols. If specified, you can enable the Nmap scripting engine that uses various scripts to lookup vulnerabilities against the host.
The host discovery process employed by Nmap utilizes raw ICMP packets. These packets can be disabled or filtered by firewalls (rarely) and very cautious sys administrators. However, Nmap provides us with a stealth scan, as we will see in this tutorial.
Let us get started.
Network Discovery
Without wasting too much time, let us examine various methods to perform host discovery and overcome various limitations caused by network security devices such as firewalls.
1: Classic ICMP ping
You can perform host discovery with a simple ICMP echo request where the host replies with an ICMP echo reply.
To send an ICMP echo request with Nmap, enter the command:
The output will resemble as shown below:
scan report for 192.168.0.16
Host is up (0.11s latency).
MAC Address: EC:08:6B:18:11:D4 (Tp-link Technologies)
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
In the above command, we tell Nmap to send a ping echo (-PE) request to the target. If it receives an ICMP reply, then the host is up.
Below is a Wireshark screenshot of the nmap -sn -PE command:
Consider the resource provided below to learn more about ICMP protocol.
NOTE: ICMP echo requests are unreliable and do not draw a conclusion based on the response. For example, consider the same request to Microsoft.com
The output will be as shown below:
If it is really up, but blocking our ping probes, try -Pn
Nmap done:
1 IP address (0 hosts up) scanned in 2.51 seconds
Here’s a screenshot for Wireshark analysis:
2: TCP SYN Ping
Another method of host discovery is to use a Nmap TCP SYN ping scan. If you are familiar with the three handshakes TCP SYN/ACK, Nmap borrows from the technology and sends a request to various ports to determine if the host is up or using permissive filters.
If we tell Nmap to use SYN ping, it sends the packet to the target port, and if the host is up, it responds with an ACK packet. If the host is down, it responds with an RST packet.
Use the command as shown below to run an SYN ping request.
The response from this command should indicate whether the host is up or down. The following is a Wireshark filter of the request.
NOTE: We use the -PS to specify that we want to use the TCP SYN ping request, which can be a more efficient method than raw ICMP packets. The following is a Nmap request of Microsoft.com using TCP SYN.
The output is shown below:
Nmap scan report for microsoft.com (104.215.148.63)
Host is up (0.29s latency).
Other addresses for microsoft.com (not scanned): 40.112.72.205 13.77.161.179 40.113.200.201 40.76.4.15
Nmap done:
1 IP address (1 host up) scanned in 1.08 seconds
3: TCP ACK Ping
The TCP ACK ping method is a child of the SYN ping request. It works similarly but instead uses the ACK packet. In this method, NMAP tries something clever.
It starts by sending an empty TCP ACK packet to the host. If the host is offline, the packet should not get any response. If online, the host will respond with an RST packet indicating that the host is up.
If you are not familiar with the RST (reset packet), it’s the packet sent after the receipt of an unexpected TCP packet. Since the ACK packet Nmap sends is not a response to SYN, the host has to return an RST packet.
To initialize a Nmap ACK ping, use the command as:
Given output below:
Nmap scan report for 192.168.0.16
Host is up (0.15s latency).
MAC Address: EC:08:6B:18:11:D4 (Tp-link Technologies)
Nmap done:
1 IP address (1 host up) scanned in 0.49 seconds
4: UDP Ping
Let us talk about another option for host discovery in Nmap, i.e., UDP ping.
UDP ping works by sending UDP packets to the specified ports of the target host. If the host is online, the UDP packet might encounter a closed port and respond with an ICMP port unreachable message. If the host is down, the prompt will be various ICMP error messages such as TTL exceeded or no response.
The default port for UDP ping is 40, 125. The UDP ping is a good technique to use when performing host discovery for hosts behind a firewall and filters. That’s because most Firewalls look for and block TCP but allow UDP protocol traffic.
To run Nmap host discovery with UDP ping, use the command below:
The output from the above command is examinable using Wireshark, as shown in the screenshot below. Wireshark filter used – udp.port == 40125
As you can see in the above screenshot, Nmap sends a UDP ping to the IP 45.33.32.156 (scanme.nmap.org). The server responds with ICMP unreachable, which indicates that the host is up.
5: ARP Ping
We cannot forget the ARP ping method that works very well for host discovery within Local Networks. The ARP ping method works by sending a series of ARP probes to the given IP address range and discovers live hosts. ARP ping is fast and very reliable.
To run an ARP ping using Nmap, use the command:
If you examine the command with Wireshark and filter ARP from source 192.168.0.30, you will get a screenshot of ARP Broadcast probe requests as shown below. Wireshark filter used is: arp.src.proto_ipv4 == 192.168.0.30
TCP SYN Stealth
You will discover that SYN scan is a good option for host discovery because it is fast and can scan a series of ports in seconds, provided security systems such as firewalls do not interfere. SYN is also very powerful and stealthy as it works by incomplete TCP requests.
I will not go into the details of how TCP SYN/ACK works, but you can learn more about it from the various resources provided below:
- https://linkfy.to/tcpWiki
- https://linkfy.to/3-way-handshake-explained
- https://linkfy.to/3-way-anantomy
To run Nmap TCP SYN stealth scan, use the command:
I have provided a Wireshark capture of the Nmap -sS command and the Nmap finds of the scan, examine them and see how it works. Look for incomplete TCP requests with the RST packet.
Conclusion
To recap, we have focused on discussing how to use the Nmap host discovery feature and get information about the specified host. We also discussed which method to use when you need to perform host-discovery for hosts behind firewalls, blocking ICMP ping requests, and much more.
Explore Nmap to gain deeper knowledge.