Nmap – Host Discovery

Host Discovery

You will recall I hope this statement from Part 1

In its simplest form it is an advanced IP Scanner, much like the Windows utility of the same name and others you may know such as Angry IP Scanner.

If you read that you’d be forgiven for thinking this is the place to start .

nmap <ip address>

But if you do this you’ll send at least one SYN packet to the default port selection on the host you’ve scanned and as you can see in this image from Wireshark, you could be sending more than one.

Wireshark capture showing SYN based port scan

On my lab network at home it took 760 seconds to scan a single host, which isn’t very efficient if you just want to see whats live on your network.

You need to be specific with Nmap. The Nmap online manual advises that the dafult port range consist of 100 ports [3]

Tell it what YOU want it to do and what YOU want it to scan. To do a simple ping based IP scan to see if a host or hosts are up, you have to tell it to ignore the port scanning by explicitly asking it to only do host enumeration.

In the help screen we have this switch

-sn: Ping Scan - disable port scan

So the command we need to run a simple host discovery scan using ICMP ping would be:

nmap -sn

You can see the result of this scan in this Wireshark capture.

Wireshark capture of the previously Nmap scan

If you want to scan a number of endpoints you can do so by IP addresses or by hostnames. Using hostnames requires accessible and working DNS.

To list a range of IP addresses you have some choices. You can use the slash CIDR notation, you can list individual addresses separated by spaces, you can list blocks of IP addresses using a hyphen, and separate multiple blocks by space, or you can import a list of targets.

nmap -sn
nmap -sn
nmap -sn 192.168.1-10
nmap -sn -iL <filename>

TCP Scans

Often ICMP ping scans are blocked by firewalls, even windows client firewall blocks ICMP by default now. We need to try something else to try and discover hosts that might be up. Nmap can attempt to connect to hosts using the TCP handshake we discussed in part 1 and I hope you’ll see why I did that primer post on TCP first.

So to get Nmap to do a TCP connection to our host and tell us if it is accepted and completed we have this switch listed in the help

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

The obvious choice from this is something along these lines:

nmap -sT

Remember I said earlier that you have to tell Nmap EXACTLY what you want it to do, well here we told it to go and try to connect to the host at using a full TCP handshake. That is what it will try to do, but it will try to do it using its default setting and on its default ports. We already established that there are 1000 ports by default, so we maybe need to reduce this to a smaller number.

There are as number of options to reduce the number of ports we try to connect to. Lets refer back to the help screen.

  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>

We can choose our own port range using

 -p <port ranges>: Only scan specified ports

We can select “Fast” mode which reduce the default number from 1000 to 100

 -F: Fast mode - Scan fewer ports than the default scan

Let’s have a look at how they look in the terminal.

Image showing comparison Nmap scans using -F switch

In a simple test here we can see that a fast scan using -F against a single target, with no firewall between the scanning machine and the target machine is almost twice as fast using the smaller number of ports (0.27 seconds vs 1.67 seconds). This is fine if all you are doing is host discovery i.e. you are just looking for hosts that are up and there are no firewalls in between.

If we are looking for machines we could choose to manually select some common ports to connect to, maybe things like Telnet (21), SSH (22), HTTP (80), SMB (139,445), RPC (135) and even RDP (3389)…

Image showing Nmap scan command line with selected ports plus the output of the command.

The fact that the target responds shows us it is up and answering requests. So we can do the same now on a range to see what answers.

So we have established that we can discover hosts using ICMP or TCP and that we can reduce the number of ports we scan or attempt to connect to by using the -F switch or by scanning known and common ports explicitly

One final thing before we leave host discovery, we don’t actually need to make a full TCP connection to establish if a port or ports are open/available to us. Remember that the handshake is just to make sure we have someone listening and that we aren’t sending data blindly. Once you have asked if they are listening and they’ve answered you, you know they are there.

Just as we started the conversation in part 1 we can ask if they are available to talk to us and then change our minds. Do you remember how we did that in the TCP handshake?

We did it by sending a SYN packet, so we can just send a SYN packet, if they answer we can assume they are listening, we then reset the request with an RST packet. Based on the port that the request is on we can make a good guess at the protocol that is in use (there is more we can get but we’ll do that in another section)

So how do we start a scan using just a SYN packet?

  -**sS**/sT/sA/sW/sM: TCP **SYN/**Connect()/ACK/Window/Maimon scans

we just simply tell it to by replacing the T with an S

nmap -sS -F
Image showing the Nmap command line syntax for a SYN only scan plus the result

Some people call the SYN scan a Stealth scan. This is what the Nmap online manaual has to say about that:

SYN scan has long been called the stealth scan because it is subtler than TCP connect scan (discussed next), which was the most common scan type before Nmap was released. Despite that moniker, don’t count on a default SYN scan slipping undetected through sensitive networks. Widely deployed intrusion detection systems and even personal firewalls are quite capable of detecting default SYN scans.

Logs often only contain completed connections, but IPS, IDS and more modern Firewalls will all now see the SYN scan as potentially malicious and so ti is a lot less stealthy

So that is simple host discovery using Nmap and both ICMP and TCP


[3] Nmap Online Manual (Port Specification and Scan Order)

[4] Nmap Online Manual SYN (Stealth) Scan

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.