To discover the active/live hosts in the network, host discovery techniques can be used. As an ethical hacker, you must be aware of the various types of host discovery techniques.
ARP Ping Scan
The ARP ping scan sends ARP packets to find all active devices in the IPv4 range, even if their presence is masked by a restrictive firewall.
If an attacker sends ARP request probes to a target host and receives an ARP response, the host is active. If the destination host is discovered to be inactive, the source host adds an incomplete entry to the destination IP in its kernel ARP database. Check How ARP is used for Spoofing Attacks
nmap -sn -PR <IP>
- -sn: disable port scan. ARP ping scan is default in nmap. To disable and preform oterh ping scans, use --disable-arp-ping.
Advantages:
- ARP ping scanning is thought to be more efficient and accurate than other host discovery methods.
- ARP ping scan handles ARP requests, retransmission, and timeouts automatically at its discretion.
- ARP ping scan is useful for system discovery when scanning huge address spaces.
- ARP ping scan can show a device's response time or latency to an ARP packet.
UDP Ping Scan
UDP ping scans are similar to TCP ping scans, except that UDP packets are sent
instead of TCP packets. The default port used by Nmap is 40,125, which is
extremely uncommon. Attackers send UDP packets to the target host, and a UDP
response indicates that the target host is active. UDP Ping Scan has the
advantage of finding systems behind firewalls with tight TCP filtering, while
UDP traffic is ignored. In Zenmap, -PU option is used to perform
the UDP ping scan.
TCP SYN Ping Scan
TCP SYN ping scan is used for probing different ports to determine if the port
is online and to check if it encounters any firewall rule sets.
An attacker uses this approach by sending the empty TCP SYN flag to begin the
three-way handshake. The target host acknowledges with an ACK flag after
receiving SYN. When the attacker receives the ACK flag, it checks that the
target host is alive and sends the RST flag to terminate the connection.
The -PS option in Zenmap is used to do a TCP SYN ping scan.
Advantages:
- Because the machines can be scanned concurrently, the scan never encounters a time-out problem while waiting for a response.
- TCP SYN ping can be used to determine whether or not the host is active without establishing a connection. As a result, logs are not recorded at the system or network level, allowing the attacker to leave no traces for discovery.
TCP ACK Ping Scan
TCP ACK ping is similar to TCP SYN ping, with slight differences. The attackers use this approach to transmit an empty TCP ACK packet to the target machine. Because there is no prior connection between the attacker and the target host, the target responds with an RST signal to determine the request after receiving the ACK packet. The arrival of this RST packet at the attacker's end confirms that the host is active.
The -PA option in Zenmap is used to perform a TCP ACK ping scan.
Advantage:
Both the SYN and ACK packets can be utilised to reduce the likelihood of a firewall bypass. However, because SYN ping packets are the most commonly used pinging technique, firewalls are typically set to block them. In such instances, the ACK probe can be utilised to simply bypass certain firewall rule sets.
IP Protocol Ping Scan
IP Protocol ping is the most recent host discovery option that delivers IP ping packets with any specified protocol number in the IP header. It follows the same format as TCP and UDP ping. This method attempts to send various packets using various IP protocols in the hopes of receiving a response indicating that a host is online.
You might be interested in,
- Host Discovery Techniques via Scanning - Part 2
- Phases of Hacking
- Introduction to Scanning - Second Step to Hacking
- Nmap - Host Discovery Techniques
- OS Discovery and Countermeasures
We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.
No comments:
Post a Comment