Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Nmap: Network Exploration and Security Auditing Cookbook

You're reading from   Nmap: Network Exploration and Security Auditing Cookbook Network discovery and security scanning at your fingertips

Arrow left icon
Product type Paperback
Published in May 2017
Publisher
ISBN-13 9781786467454
Length 416 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Paulino Calderon Paulino Calderon
Author Profile Icon Paulino Calderon
Paulino Calderon
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Nmap Fundamentals FREE CHAPTER 2. Network Exploration 3. Reconnaissance Tasks 4. Scanning Web Servers 5. Scanning Databases 6. Scanning Mail Servers 7. Scanning Windows Systems 8. Scanning ICS SCADA Systems 9. Optimizing Scans 10. Generating Scan Reports 11. Writing Your Own NSE Scripts 12. HTTP, HTTP Pipelining, and Web Crawling Configuration Options 13. Brute Force Password Auditing Options 14. NSE Debugging 15. Additional Output Options 16. Introduction to Lua 17. References and Additional Reading

Finding live hosts in your network

Finding live hosts in your local network is a common task among penetration testers and system administrators to enumerate active machines on a network segment. Nmap offers higher detection rates over the traditional ping utility because it sends additional probes than the traditional ICMP echo request to discover hosts.

This recipe describes how to perform a ping scan with Nmap to find live hosts in a local network.

How to do it...

Launch a ping scan against a network segment using the following command:

#nmap -sn <target>  

The results will include all the hosts that responded to any of the packets sent by Nmap during the ping scan; that is, the active machines on the specified network segment:

   Nmap scan report for 192.168.0.1 
Host is up (0.0025s latency).
MAC Address: F4:B7:E2:0A:DA:18 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.0.2
Host is up (0.0065s latency).
MAC Address: 00:18:F5:0F:AD:01 (Shenzhen Streaming Video Technology
Company Limited)
Nmap scan report for 192.168.0.3
Host is up (0.00015s latency).
MAC Address: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.)
Nmap scan report for 192.168.0.8
Host is up (0.029s latency).
MAC Address: C8:02:10:39:54:D2 (LG Innotek)
Nmap scan report for 192.168.0.10
Host is up (0.0072s latency).
MAC Address: 90:F6:52:EE:77:E9 (Tp-link Technologies)
Nmap scan report for 192.168.0.11
Host is up (0.030s latency).
MAC Address: 80:D2:1D:2C:20:55 (AzureWave Technology)
Nmap scan report for 192.168.0.18
Host is up (-0.054s latency).
MAC Address: 78:31:C1:C1:9C:0A (Apple)
Nmap scan report for 192.168.0.22
Host is up (0.030s latency).
MAC Address: F0:25:B7:EB:DD:21 (Samsung Electro Mechanics)
Nmap scan report for 192.168.0.5
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 27.86 seconds

Ping scans in Nmap may also identify MAC addresses and vendors if executed as a privileged user on local Ethernet networks.

How it works...

The Nmap option -sn disables port scanning, leaving the discovery phase enabled, which makes Nmap perform a ping sweep. Depending on the privileges, Nmap by default uses different techniques to achieve this task: sending a TCP SYN packet to port 443, TCP ACK packet to port 80 and ICMP echo and timestamp requests if executed as a privileged user, or a SYN packets to port 80 and 443 via the connect() syscall if executed by users who can't send raw packets. ARP/Neighbor Discovery is also enabled when scanning local Ethernet networks as privileged users. MAC addresses and vendors are identified from the ARP requests sent during the ARP/Neighbor Discovery phase.

There's more...

Nmap supports several host discovery techniques, and probes can be customized to scan hosts effectively even in the most restricted environments. It is important that we understand the internals of the supported techniques to apply them correctly. Now, let's learn more about host discovery with Nmap.

Tracing routes

Ping scans allows including trace route information of the targets. Use the Nmap option  --traceroute to trace the route from the scanning machine to the target host:

#nmap -sn --traceroute google.com microsoft.com 
Nmap scan report for google.com (216.58.193.46)
Host is up (0.16s latency).
Other addresses for google.com (not scanned):
2607:f8b0:4012:805::200e
rDNS record for 216.58.193.46: qro01s13-in-f14.1e100.net

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 1.28 ms 192.168.0.1
2 ...
3 158.85 ms 10.165.1.9
4 ... 5
6 165.50 ms 10.244.158.13
7 171.18 ms 10.162.0.254
8 175.33 ms 200.79.231.81.static.cableonline.com.mx
(200.79.231.81)
9 183.16 ms 10.19.132.97
10 218.60 ms 72.14.203.70
11 223.35 ms 209.85.240.177
12 242.60 ms 209.85.142.47
13 ...
14 234.79 ms 72.14.233.237
15 235.17 ms qro01s13-in-f14.1e100.net (216.58.193.46)
Nmap scan report for microsoft.com (23.96.52.53)
Host is up (0.27s latency).
Other addresses for microsoft.com (not scanned): 23.100.122.175
104.40.211.35 104.43.195.251 191.239.213.197
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
- Hops 1-9 are the same as for 216.58.193.46
10 183.27 ms 10.19.132.30
11 231.26 ms 206.41.108.25
12 236.77 ms ae5-0.atb-96cbe-1c.ntwk.msn.net (104.44.224.230)
13 226.22 ms be-3-0.ibr01.bn1.ntwk.msn.net (104.44.4.49)
14 226.89 ms be-1-0.ibr02.bn1.ntwk.msn.net (104.44.4.63)
15 213.92 ms be-3-0.ibr02.was05.ntwk.msn.net (104.44.4.26)
16 251.91 ms ae71-0.bl2-96c-1b.ntwk.msn.net (104.44.8.173)
17 ... 19
20 220.70 ms 23.96.52.53
Nmap done: 2 IP addresses (2 hosts up) scanned in 67.85 seconds

Running the Nmap Scripting Engine during host discovery

The Nmap Scripting Engine can be enabled during ping scans to obtain additional information. As with any other NSE script, its execution will depend on the hostrule specified. To execute a NSE script with ping scans, we simply use the Nmap option  --script <file,folder,category>, the same way as we would normally call NSE scripts with port/service detection scans:

#nmap -sn --script dns-brute websec.mx 
Nmap scan report for websec.mx (54.210.49.18)
Host is up.
rDNS record for 54.210.49.18: ec2-54-210-49-18.compute-
1.amazonaws.com

Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| ipv6.websec.mx - 54.210.49.18
| web.websec.mx - 198.58.116.134
| www.websec.mx - 54.210.49.18
|_ beta.websec.mx - 54.210.49.18

Another interesting NSE script to try when discovering live hosts in networks is the script broadcast-ping:

$ nmap -sn --script broadcast-ping 192.168.0.1/24  
Pre-scan script results:
| broadcast-ping:
| IP: 192.168.0.11 MAC: 80:d2:1d:2c:20:55
| IP: 192.168.0.18 MAC: 78:31:c1:c1:9c:0a
|_ Use --script-args=newtargets to add the results as targets

Exploring more ping scanning techniques

Nmap supports several ping scanning techniques using different protocols. For example, the default ping scan command with no arguments (nmap -sn <target>) as a privileged user internally executes  the -PS443 -PA80 -PE -PP options corresponding to TCP SYN to port 443, TCP ACK to port 80, and ICMP echo and timestamps requests.

In Chapter 2, Network Exploration, you will learn more about the following ping scanning techniques supported in Nmap:

  • -PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  • -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  • -PO [protocol list]: IP protocol ping
You have been reading a chapter from
Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
Published in: May 2017
Publisher:
ISBN-13: 9781786467454
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image