When we are about to attack a website, we want to know which systems are up and what services are running these systems. Nmap can answer those questions.
In this lesson, we will learn how to answer the first question: Which systems are up?
Time to scan all our options in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What I have learnt today? |
| Stats |
| Resources |
Introduction to Nmap
Today’s lesson is about discovering systems that are online before port scanning. We have different approaches to discovering live hosts with Nmap:
- ARP scan: This scan uses ARP requests to discover live hosts
- ICMP scan: This scan uses ICMP requests to identify live hosts
- TCP/UDP ping scan: This scan sends packets to TCP ports and UDP ports to determine live hosts.
Released in 1997, Nmap (Network MAPper) is a free, open-source software and the industry-standard tool for mapping networks, identifying live hosts and discovering running services.
This is the first of the four Nmap lessons:
What I have learnt today?
Subnetworks
A network segment is a group of computers connected using a shared medium (A Ethernet switch, a WIFI access point…). In an IP network, a subnetwork is the equivalent of one or more network segments connected together using the same router. The network is the physical connection, and the subnetwork is the logical connection.
The subnets with /16 have around 65 thousand hosts and the subnet mask can be written as 255.255.0.0. The subnets with /24 have around 250 hosts and the subnet mask can be written as 255.255.255.0.
If we are connected to the same subnet, we can expect that our scanner uses ARP (Address Resolution Protocol) queries to discover live hosts. This query tries to get the hardware address (MAC Address) so that communication using the link layer becomes possible.
If we are in Network A, we can use ARP to discover devices within that subnet (10.1.100.0/24). ARP scans can’t go through the default gateway (router) and will fail, as ARP packets are bound to the same subnet.
Enumerating targets
When we want to scan a live target, we should specify the targets to scan (obviously). We can provide a list, a range, a subnet or a file:
- List:
<TARGET_IP> scanme.nmap.org example.comwill scan 3 IP addresses. - Range:
10.11.12.15-20will scan 6 IP addresses, from10.11.12.15to10.11.12.20. - Subnet:
<TARGET_IP>/30will scan 4 IP addresses. - File:
nmap -iL <FILENAME.txt>will scan a list of IP addresses provided by the file indicated on the -iL tag.
Also, nmap -sL <TARGETS> will display which IPs would be scanned before you do it.
Discovering live hosts
Starting from bottom to top, we can use:
- ARP from Link Layer
- ICMP from Network Layer
- TCP and UDP from Transport Layer
ARP has one purpose: Asking if a computer with a specific IP address exists by responding with its MAC address.
ICMP uses Type 8 (Echo) and Type 0 (Echo Reply).
If you want to ping a system on the same subnet, an ARP query should precede the ICMP echo.
A scanner can send a packet crafted to TCP or UDP ports to check if the target will respond. This method is great when ICMP Echo is blocked.
Nmap Host Discovery using ARP
Is essential to avoid wasting time scanning non-existing hosts or IP addresses not in use. We can discover online hosts in many ways:
- When a privileged (one that can run
sudo) user scans target on a local network, Nmap uses ARP requests. - When a privileged user scans a target outside the local network, Nmap uses ICMP echo requests, TCP ACK(knowledge) to port 80, TCP SYN(chronize) to port 443 and ICMP timestamp requests.
By default, Nmap scans for live hosts first, then scans the found live hosts only. If we want Nmap to discover online hosts without port-scanning the live systems, we can use “nmap -sn .
Before we communicate with a computer we need their MAC address. To get that MAC address, the OS sends an ARP query, and any computer that replies is up, and if it is in the same subnet (AKA the same Ethernet/WiFi). If we want only to perform an ARP scan without port scanning, we can use nmap -PR -sn <TARGETS_IP> where -PR indicates that we only want an ARP scan. For example, nmap -PR -sn 10.10.10.10/24 to discover all the live systems on the same subnet.
We also have a scanner built around ARP queries only: arp-scan. More information in the arp-scan wiki.
The arp-scan -l command scans all the valid IP addresses in our local networks using ARP queries.
Nmap Host Discovery using ICMP
We can ping every IP address on a target network to see who can respond to our ping (ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0). But it is not always reliable as some firewalls block ICMP echo. If the target is in the same subnet, ARP will precede the ICMP request.
To use ICMP requests, we should use the flag -PE (and -sn if we don’t want to port-scan): nmap -PE -sn <TARGET_IP>/24. This sends ICMP echo packets to every IP on the subnet, waiting for a live host to reply:
We get their IP address but also their MAC addresses. This is because they are in the same subnet. Let’s see what happens when the MAC address is on a different one:
ICMP echo requests tend to be blocked, we can use Timestamp request (ICMP Type 13) instead by adding the -PP flag.
Nmap also uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18) by using the -PM option.
Nmap Host Discovery using TCP and UDP
TCP SYN Ping
When we send a packet with the SYN (SYNchronize) flag set to a TCP port (by default, 80), an open port should reply with SYN/ACK (SYNchronize/ACKnowledge), and a closed one with RST (ReSeT).
This is how a normal 3-Way handshake works:
This is how -PS works:
To perform a TCP SYN ping, we use the option -PS followed by the port number/list/range: nmap -PS21, nmap -PS80,443,8080 or nmap -PS21-40.
TCP ACK Ping
This sends a packet with the ACK flag. We need to be privileged users to perform this, or it will attempt a 3-way handshake.
To perform a TCP ACK ping, we use the option -PA followed by a port number/list/range: nmap -PA21, nmap -PA80,443,8080 or nmap -PA21-40.
SYN tries to create a connection while ACK pretends that it already exists. We use TCP ACK to detect hosts that block SYN packets or modern firewalls that track connection states because it sends bogus TCP ACK packets associated with non-existing connections.
UDP Ping
Contrary to TCP SYN ping, sending a UDP packet (with the -PU option) is not expected to lead to any reply if it is open, but by sending a UDP packet to a closed UDP port, we expect an ICMP port unreachable packet, indicating that the target is up and available.
Masscan
Masscan uses a similar, but more aggressive approach with the rate of packets generated. The syntax is similar: masscan <TARGET_IP>/24 -p443, masscan <TARGET_IP>/24 -p80,443, masscan <TARGET_IP>/24 -p1-100.
You can install Masscan with the apt install masscan command.
Using reverse-DNS lookup
Because the hostnames can reveal a lot, Nmap default behaviour is to use reverse-DNS online hosts. If we don’t want to send such queries, use -n to skip it.
By default, Nmap looks for online hosts, but we can use the option -R to search for offline hosts.
Summary
In this lesson, we have learnt:
- What subnetworks are.
- How to enumerate targets and discover live hosts.
- Nmap host discovery using ARP, ICMP, TCP and UDP.
- Nmap syntax:
ARP Scan
sudo nmap -PR -sn <TARGET_IP>/24
ICMP Echo Scan
sudo nmap -PE -sn <TARGET_IP>/24
ICMP Timestamp
sudo nmap -PP -sn <TARGET_IP>/24
ICMP Address Mask
sudo nmap -PM -sn <TARGET_IP>/24
TCP SYN Ping Scan
sudo nmap -PS22,80,442 -sn <TARGET_IP>/30
TCP ACK Ping Scan
sudo nmap -PA22,80,442 -sn <TARGET_IP>/30
UDP Ping Scan
sudo nmap -PU22,80,442 -sn <TARGET_IP>/30
Stats
From 108.791th to 104.610th. Sitting right now in the Top 5%.
Here is also the Skill Matrix:
Resources
Module: Nmap
TryHackMe: Nmap Live Host Discovery
