Let's dig in deep with Host Discovery Options. A hacker or pen-tester or
anyone will be looking for an active host with open ports in the network that
can be exploited to compromise the target.
Host discovery will help you dig deep into the target to know active hosts
(IPs) and which services are running on them from the IPs, domains and
subdomains you got from your early information-gathering stages. This will
narrow down the list of IPs and domains to only the active ones on which we
can focus.
The discovery probes of Nmap are designed to seek responses that demonstrate
that an IP address is actually active.
If no host discovery options selected then Nmap sends,
- ICMP echo request (ping).
- TCP SYN packet to port 443.
- TCP ACK packet to port 80.
- ICMP timestamp request.
First things first, you can use the help command for Nmap by typing nmap -h.
List Scan (-sL)
- Least Invasive type of scan.
- Do not scan the network.
- Does a reverse DNS resolution on the host to learn their names.
- Add the switch at the beginning or at the end of the command. Does not require any value.
nmap <IP> -sL
- Example:
nmap 10.0.1.0/24 -sL OR
nmap -sL 10.0.1.0/24
Ping Scan (-sn)
- As the name suggests it pings and finds the host in the network.
- Do not do the port scan.
- This tells the Nmap not to do a port scan after the discovery stage and only print the available host i.e. which responded to the host discovery probes.
- Add the switch at the beginning or at the end of the command. Does not require any value.
nmap <IP> -sn
- Example:
nmap 10.0.2.0/24 -sn OR nmap -sn 10.0.2.0/24
Treat all the hosts as online (-Pn)
- As the name suggests it will treat all the hosts as online i.e. Nmap attempts the requested scanning function against every target IP address.
- So, essentially this means skipping the discovery stage but still doing a scan.
- As this will skip a stage (discovery) it makes the scan faster.
- Add the switch in the beginning or at the end of the command. Does not require any value.
nmap <IP> -Pn
- Example:
nmap 10.0.3.0/24 -Pn OR
nmap -Pn 10.0.3.0/24
Discovery to Given Ports
- If you want to scan the specific type of protocol.
- -PS => TCP SYN
- -PA => TCP ACK
- -PU => UDP
- -PY => SCTP
- You can also define the specific ports.
nmap <IP> -PS/PA/PU/PY[port_numbers]
- Examples:
- nmap 10.0.3.0/24 -PS80,443 -PU53 (Scans the HTTP and HTTPS port over TCP and DNS over UDP for every host in the given range)
IP Protocol Ping (-PO)
- The default is 1,2,4 which is ICMP, IGMP, IP in IP respectively.
nmap <IP> -PO1,2,4
Specify Custom DNS Servers (--dns--server)
- To change the DNS server to a custom one.
- This will do a reverse DNS
- Can be used to specify a private DNS Server like Google or one made by you.
- Can be used to specify the router's DNS Server to know the name of the devices in their network which can be very helpful.
nmap <IP> --dns-server <IP/domain_name>
- Example (using Router's IP):
nmap 10.0.4.0/24 --dns-server 10.0.2.1
ARP Scan (-PR)
- Faster than IP Discovery
- Host Discovery's fastest way
nmap <IP> -PR
ICMP Ping Types
- Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.
- -PE => ICMP Echo
- -PP => Timestamp
- -PM => Netmask request discovery probes.
nmap <IP> -PE/PP/PM
Trace path to host (--traceroute)
- Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target.
- Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host.
- It works with all scan types except connect scans (-sT) and idle scans (-sI).
nmap <IP> --traceroute
No DNS Resolution (-n)
- Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds.
- DNS Resolution can make the scan slow.
nmap <IP> -n
DNS Resolution for all targets (-R)
- Tells Nmap to always do reverse DNS resolution on the target IP addresses.
nmap <IP> -R
Use System DNS resolver (--system-dns)
- Specify this option to use your system resolver.
- This is slower and rarely useful unless you find a bug in the Nmap parallel resolver.
nmap <IP> --system-dns
You might be interested in,
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment