Nmap - Host Discovery Techniques

February 10, 2021

Let's dig in deep with Host Discovery Options. A hacker or pen-tester or anyone will be looking for an active host with open ports in the network that can be exploited to compromise the target. 

Host discovery will help you dig deep into the target to know active hosts (IPs) and which services are running on them from the IPs, domains and subdomains you got from your early information-gathering stages. This will narrow down the list of IPs and domains to only the active ones on which we can focus.

The discovery probes of Nmap are designed to seek responses that demonstrate that an IP address is actually active.  
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.

If no host discovery options selected then Nmap sends,
  • ICMP echo request (ping).
  • TCP SYN packet to port 443.
  • TCP ACK packet to port 80.
  • ICMP timestamp request.

First things first, you can use the help command for Nmap by typing nmap -h


List Scan (-sL) 

  • Least Invasive type of scan.
  • Do not scan the network.
  • Does a reverse DNS resolution on the host to learn their names. 
  • Add the switch at the beginning or at the end of the command. Does not require any value. 
nmap <IP> -sL
  • Example: 
nmap 10.0.1.0/24 -sL OR nmap -sL 10.0.1.0/24

Ping Scan (-sn)

  • As the name suggests it pings and finds the host in the network.
  • Do not do the port scan.
  • This tells the Nmap not to do a port scan after the discovery stage and only print the available host i.e. which responded to the host discovery probes.
  • Add the switch at the beginning or at the end of the command. Does not require any value.
nmap <IP> -sn
  • Example: 
    • nmap 10.0.2.0/24 -sn OR nmap -sn 10.0.2.0/24

Treat all the hosts as online (-Pn)

  • As the name suggests it will treat all the hosts as online i.e. Nmap attempts the requested scanning function against every target IP address.
  • So, essentially this means skipping the discovery stage but still doing a scan.
  • As this will skip a stage (discovery) it makes the scan faster.
  • Add the switch in the beginning or at the end of the command. Does not require any value.
nmap <IP> -Pn
  • Example:
nmap 10.0.3.0/24 -Pn OR nmap -Pn 10.0.3.0/24

Discovery to Given Ports

  • If you want to scan the specific type of protocol.
  • -PS => TCP SYN
  • -PA => TCP ACK
  • -PU => UDP
  • -PY => SCTP
  • You can also define the specific ports. 
nmap <IP> -PS/PA/PU/PY[port_numbers]
  • Examples:
    • nmap 10.0.3.0/24 -PS80,443 -PU53 (Scans the HTTP and HTTPS port over TCP and DNS over UDP for every host in the given range)


IP Protocol Ping (-PO)

  • The default is 1,2,4 which is ICMP, IGMP, IP in IP respectively.
nmap <IP> -PO1,2,4

Specify Custom DNS Servers (--dns--server)

  • To change the DNS server to a custom one.
  • This will do a reverse DNS
  • Can be used to specify a private DNS Server like Google or one made by you.
  • Can be used to specify the router's DNS Server to know the name of the devices in their network which can be very helpful.
nmap <IP> --dns-server <IP/domain_name>
  • Example (using Router's IP):
nmap 10.0.4.0/24 --dns-server 10.0.2.1

ARP Scan (-PR)

  • Faster than IP Discovery
  • Host Discovery's fastest way
nmap <IP> -PR

ICMP Ping Types

  • Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.
  • -PE => ICMP Echo
  • -PP => Timestamp
  • -PM => Netmask request discovery probes.
nmap <IP> -PE/PP/PM

Trace path to host (--traceroute)

  • Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target.
  • Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host.
  • It works with all scan types except connect scans (-sT) and idle scans (-sI).
nmap <IP> --traceroute

No DNS Resolution (-n)

  • Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. 
  • DNS Resolution can make the scan slow.
nmap <IP> -n

DNS Resolution for all targets (-R)

  • Tells Nmap to always do reverse DNS resolution on the target IP addresses.
nmap <IP> -R

Use System DNS resolver (--system-dns)

  • Specify this option to use your system resolver.
  • This is slower and rarely useful unless you find a bug in the Nmap parallel resolver.
nmap <IP> --system-dns
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

You might be interested in, 

We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.
, ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)