How To Discover Network Hosts With Nmap? – POFTUT

How To Discover Network Hosts With Nmap?

Hi. We started with Nmap target specification. Now we resume with host discovery options. Host discovery is detecting hosts in the same or remote network. Generally, we send a packet to the target host and then we get a response or not but some times we just listen and get packets from hosts. We decide host status according to response if we get it. There are some different ways to send packets. Nmap default (if no option is given) action for host discovery is ICMP echo and time stamp, sync to 443 (https) and ack to TCP 80 (HTTP).

ARP Scan

-PR option is used for arp inspection so it just sends arp request. In the second block, we see the target host network dump. The -sn option disable port scan.

$ nmap -PR -sn u1

List Scan

The list scan is a passive scan so we do not send packets to the network we just listen. As you can see output there is one host which is up but the scan shows no one is up.

$ nmap -sL

No Ping Scan

No ping scan disables ping stage of the scan. Normally a scan starts with ping to find live hosts and then start heavy port scan to the live hosts. But if you set these options it starts with heavy port scan for all specified hosts.

$ nmap -Pn

Sync Scan

TCP Sync ping is another method for reliable scanning. To the given ports sync are send and got a response if there is a host like RST or ACK. Here we can for TCP 22.

$ nmap -sn -PS22

Ack Scan

TCP Ack ping is like sync ping but as you guess ack and sync flags are set.

$ nmap -sn -PA22

UDP Scan

UDP ping is like TCP ping. Here you can specify data-length for the packet which is randomly chosen payload.

$ nmap -sn --data-length 500 -PU514

ICMP Echo Scan

ICMP ping types are used for ping ICMP types. The most used and helpful is the echo . This type of scan pings all of the hosts

$ nmap -sn -PE

Protocol list is used to specify ip protocol numbers. As you know ICMP, TCP , UDP and similar protocol numbers specified in the IP packet header. Here we can set these numbers. For example, UDP is 17. This type of scan is not reliable so I skip it.

LEARN MORE  How To Generate Self Signed X.509 Certificates with OpenSSL?

Do Not Resolve DNS

Resolving DNS can slow down scan or it may be unnecessary. So we can stop DNS resolving with -n option or force it with -R option. If we want to use the system specified DNS use --system-dns or want to specify manual DNS servers use --dns-servers

$ nmap -sn -n

Leave a Comment