How To Discover Network Hosts With Nmap?
Hi. We started with nmap target specification. Now we resume with host discovery options.Host discovery is detecting hosts in the same or remote network. Generally we send a packet to the target host and then we get a response or not but some times we just listen and get packets from hosts. We decide host status according to response if we get it. There are some different ways to send packets.
nmap default (if no option is given) action for host discovery is icmp echo and time stamp, sync to 443 (https) and ack to tcp 80 (http)
-PR option is used for arp inspection so it just send arp request. In the second block we see target host network dump. The -sn option disable port scan.
1 $ nmap -PR -sn u1
List scan is a passive scan so we do not send packets to the network we just listen. As you can see output there is one host which is up but scan shows no one is up.
1 $ nmap -sL 192.168.122.0/24
No Ping Scan
No ping scan disables ping stage of scan. Normally a scan starts with ping to find live hosts and then start heavy port scan to the live hosts. But if you set this options it starts with heavy port scan for all specified hosts.
1 $ nmap -Pn 192.168.122.0/24
TCP Sync ping is another method for reliable scanning. To the given ports sync are send and got response if there is a host like RST or ACK. Here we scan for tcp 22
1 $ nmap -sn -PS22 192.168.122.0/24
TCP Ack ping is like sync ping but as you guess ack and sync flags are set.
1 $ nmap -sn -PA22 192.168.122.0/24
Udp ping is like tcp ping. Here you can specify data-length for packet which is randomly chosen payload.
1 $ nmap -sn --data-length 500 -PU514 192.168.122.0/24
ICMP Echo Scan
ICMP ping types are used for ping ICMP types. The mostly used and helpful is echo . This type of scan pings all of the hosts
1 $ nmap -sn -PE 192.168.122.0/24
Protocol list is used to specify ip protocol numbers. As you know icmp,tcp,udp,igm and similiar protocol numbers specified in ip packet header. Here we can set this numbers. For example udp is 17. This type of scan is not reliable so I skip it.
Do Not Resolve DNS
Resolving dns can slow down scan or it may be unnecessary . So we can stop dns resolving with -n option or force it with -R option. If we want to use system specified dns use –system-dns or want to specify manual dns servers use –dns-servers 188.8.131.52
1 $ nmap -sn -n 192.168.122.0/24