NMAP Live Host Discovery

Nmap is a scanning tool for discovering which systems are up and what services are running on these systems. 

It is important to know the different approaches to enumerate a target in case firewalls are blocking some types. The different approaches that Nmap uses to discover live hosts:

  • ARP (Address Resolution Protocol) scan: This scan uses ARP requests to discover live hosts.
  • ICMP (Internet Control Message Protocol) scan: The scan uses ICMP requests to identify live hosts.
  • TCP/UDP ping scan: This scan sends packets to TCP ports and UDP ports to determine live hosts.
See below for the steps an Nmap scan usually goes through:



Subnetworks
In the below image we have four network segments or subnetworks. Subnetworks has it's own IP address range and is connected to a more extensive network via a router. There might be a firewall enforcing security policies depending on each network



The figure above shows two types of subnets:
  • Subnets with /16 , which means that the subnet mask can be written as 255.255.0.0 . This subnet can have around 65000 hosts.
  • Subnets with /24 , which indicates that the subnet mask can be expresssed as 255.255.255.0 . This subnet can have around 250 hosts.
As part of an active reconnaissance, we want to discover more information about a group of hosts of about a subnet. If we are on the same subnet, we would expect Nmap to use ARP (Address Resolution Protocol) queries to discover live hosts. An ARP query aims to get the hardware address (MAC address) so that communication over the link-later becomes possible. However, we can use this to infer that the host is online. 

If we are on Network A (using the image above), we can use ARP only to discover the devices within that subnet. If we are on a different subnet to that of the target all packets generated by our scanner will be routed via the default gateway (router) to reach systems on another subnet; however, the ARP queries wont be routed and hence cannot cross the subnet router. ARP is a link-layer protocol, thus ARP packets are bound to their subnet. 


Enumerating Targets
In order to specify the targets we want to scan, we can provide a list, a range or a subnet. For example:

  • List: MACHINE_IP scanme.nmap.org example.com will scan 3 IP addresses.
  • Range: 10.11.12.15-20 will scan the 6 IP addresses in the range specified. 
  • Subnet: MACHINE_IP/30 will scan 4 IP addresses.
We can also provide a file as input for a list of targets: nmap -iL targets.txt .

We can use nmap -sL TARGETS to receive a detailed list of hosts that Nmap will scan without actually scanning them; however, Nmap will attempt a reverse-DNS resolution on all the targets to obtain their names. Names may reveal various information us. 

Discovering Live Hosts
Let's revisit the TCP/IP layers shown in the figure next. We will leverage the protocols to discover the live hosts. Starting from bottom to top, we can use:
  • ARP from Link Layer
  • ICMP from Network Layer
  • TCP from Transport Layer
  • UDP from Transport Layer

Nmap Host Discovery Using ARP
When enumerating for hosts it is important to not waste time port-scanning an offline host or IP adress. There are various ways to discover online hosts. When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
  • When a privileged user (root or a user to can run sudo) tries to scan targets on a local network (Ethernet), Nmap will use ARP requests.
  • When a privileged user tries to can targets outside the local network, Nmap uses ICMP echo requests, TCP ACK to port 80, TCP SYN (Synchronise) to port 443 and ICMP timestamp request. 
  • When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
By default Nmap uses a ping scan to find live hosts, then proceeds to scan live hosts only. Use nmap -sn TARGETS to discover the live systems without port scanning. 

ARP scan is only possible if we are on the same subnet as the target systems. On an Ethernet (802.3) and WiFi (802.11), you need to know the MAC address of any system before you can communicate with it. The MAC address is necessary for the link-layer header; the header contains the source MAC address and the destination MAC address among other fields. To get the MAC address, the OS send an ARP query and if there is a response it means that that the host is up. The ARP query only works if the target is on the same subnet as the user scanning. If we want to Nmap scan only to perform and ARP scan without the port scanning, we use nmap -PR -sn TARGETS . To scan all live systems on the same subnet as our target machine we could use nmap -PR -sn MACHINE_IP/24


There is also arp-scan which is a scanner built around ARP queries. Vist arp-scan wiki for more information. 
 

Nmap Host Discovery Using ICMP
We can ping every IP address of a target network and see who would respond to our ping request (ICMP Type 8/Echo) with a ping reply (ICMP Type 0). However, many firewalls will block ICMP echo, including newer versions of MS Windows by default. Remember that an ARP query will precede the ICMP request if our target is on the same subnet.

The below example uses ICMP echo requests (option -PE ) and does not scan ports (option -sn


Because ICMP echo requests tend to be blocked, we can also try ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses Timestamp request (ICMP TYPE 13) and checks whether it will get a Timestamp reply (ICMP Type 14). The below example Nmap command uses ICMP Timestamp requests (option -PP )


In order to use mask queries (ICMP Type 17) to check for a mask reply (ICMP Type 18), we can use the option -PM cde. See example below:



Nmap Host Discovery Using TCP and UDP

TCP SYN Ping
We can send a packet with the SYN flag set to a TCP port, 80 by default, and wait for a response. An open port should respond with a SYN/ACK and a closed port would result in an RST. In this case, we only check whether we will get any response to infer the host is up. The state of the port is not significant here. 

Nmap can use TCP SYN ping by using the -PS option followedd by the port number, range, list or a combination of them. For example -PS21 will target port 21 and -PS21-25 will target ports 21-25.

Privileges users (root and sudoers) can send TCP SYN packets and dont need to complete the TCP 3-way handshake even if the port is open, as shown in the image below. Unprivileged users have no choice but to complete the 3-way handshake if the port is open.


TCP ACK Ping
In order to send a packet with an ACK flag set we must be running Nmap as a privileged user else Nmap will attempt a 3-way handshake.

By default, port 80 is used. The syntax is similar to TCP, for example -PA21-25 to scan codes 21-25. If no ports are specified, port 80 will be used. 

The following figure shows that any TCP with an ACK flag should get a TCP packet with the RST flag set. The target responds with the RST flag set because the TCP packet with the ACK flag is not part of any ongoing connection. The expected response is used to detect if the target host is up. 

NOTE: We must remember to use sudo for any Nmap ACK Nmap scans. 


UDP Ping
Finally, we can use UDP Ping to discover online hosts. If we send a UDP ping to an open port, we cannot expect a response. However, if we send a UDP ping to a closed port, we expect to get a ICMP port unreachable packet. Please see the example below:


Nmap uses the -PU option to use UDP ping. The ports are selected in the same way as TCP SYN ping and TCP ACK ping. 

Using Reverse-DNS Lookup
By default, Nmap uses reverse-DNS online hosts because the hostnames can reveal a lot of helpful information. However, if we do not wish to send DNS queries, we can use -n to skip this step. 

Nmap will also look up online default hosts by default, however we can use the -R option to query the DNS server even for offline hosts. If we wish to use a specific DNS server use: --dns-servers DNS_SERVER .

Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more