How to perform host discovery

One of the basic techniques of identifying a running host is by sending an ICMP ping packet and analyzing the response to draw a conclusion. What if the host or the network is blocking ICMP packets at the network level or the host level? As per the ICMP technique, the host or the network will not pop up in the live host list. Host discovery is one of the core components of a network penetration test or vulnerability scan. A half-done host discovery can ignore hosts or networks from the scope and perform any further operation, thus leaving the network vulnerable.

Nmap provides various options and techniques to identify the live host by sending customized packets to satisfy specific network conditions. If no such options are provided, Nmap by default sends an ICMP echo to identify the live hosts. The provided probe options can be combined to increase the odds of identifying further ports. Once Nmap probes for the live hosts and obtains a list of live hosts, it scans for the open ports by default.

The following options are provided by Nmap to perform host discovery:

  • –sL: This option lists the IP addresses present in the provided subnet. It also tries to resolve the IP addresses to their hostnames. The hostnames can help an attacker or a penetration tester find out a great deal about the network. You will not be able to combine this with any other options, such as OS discovery, because the functionality is to just list the IP addresses.
  • -sn: This option tells Nmap not to perform a port scan once the host discovery is performed. Instead it just lists out the live IP addresses found. This uses an ICMP echo to identify the available hosts, which will not work if there is a firewall present in the network.
  • -Pn (No ping): Generally, Nmap performs activities such as probing, port detection, service detection, and OS detection options only if the hosts are found live. This option allows Nmap to perform all the operations on the list of hosts provided to scan. For example, if a class C IP address with subnet /28 is specified, then Nmap performs probing on all the 255 hosts instead of checking for live hosts and performing the activity on them. This is an extensive scan option and generates a lot of traffic.
  • -PS (port list): This option sends an empty TCP packet with SYN flag set. This is also called a syn ping packet. Generally, for a full TCP connection to happen, an ACK is generated by the host on receiving the SYN packet. Once the ACK packet is received, the Nmap host generates a SYN/ACK packet, which then establishes a connection. Instead, Nmap sends an RST, which is a reset flag packet, to drop the connection and thus declare the port to be open. This will allow you to determine the open ports without actually creating a connection, because any connection made will be logged at the network and system levels. This option also allows attackers to not leave any tracks while performing the detection.
There is no space between -PS and the port number. You can specify a range of ports to perform the operation on as well.
  • -PA(port list): This is similar to SYN scanning and is also known as the TCP ACK ping scan. Nmap generates TCP packets with ACK set. ACK basically acknowledges any data transferred over the connection, but there will be no existing connection from the Nmap machine to the host, thus it returns an RST-flag-enabled packet. This will allow Nmap to determine that the port is open and has a service functioning.
  • -PU (port list): This is also similar to TCP scans, but this UDP ping scan is for UDP ports. For most ports the packet is empty, except for any service-specific ports, such as DNS and NTP. If a DNS ping packet reaches a closed port, the UDP probe should trigger an ICMP unreachable response from the host. If this response is not generated or the connection appears to be idle, it means that the port is functioning and a service is running on the port.
  • -PY (port list): This switch generates an SCTP packet containing a part of INIT data. This means that you are trying to establish a connection. If the destination port is closed, an ABORT packet is sent back; otherwise, the connection moves on to the next step of a four-way handshake by replying with an INIT-ACK. Once the INIT-ACK is received, the Nmap machine sends an INIT-ACK and marks the port as open instead of creating a connection.
  • -PO (protocol list): This protocol list scan allows Nmap to configure the packet with a couple of protocols enabled in the packet header, such as ICMP and IGMP, to see whether there are any host unreachable responses to determine that the protocols are not supported by the destination port, thereby marking the port as closed.
  • -PR (ARP Ping): ARP scan allows Nmap to send ARP requests to the remote host. If there is any response then Nmap marks the host as live without examining any other results. This also supports IPv6.
  • --disable-arp-ping: This allows a user to obtain specific results when a network device or proxy responds to the ARP requests, creating a situation where all the hosts appear to be up.
  • --traceroute: Traceroute is a post scan module that determines the best port to use to reach the remote host. This works by sending low TTL packets.
  • -n: This allows users to skip the DNS resolution process. This can be slow, and thus the scan takes a lot of time.
  • -R: This option is the counterpart to -n. It mandates that Nmap performs reverse DNS resolutions for all the live hosts.
  • --system-dns: This can be used to specify that the DNS servers used for resolution should be the DNS servers that are configured on the hosts.
  • --dns-servers <server1>[,<server2>[,...]]: This option can be used to define specific DNS addresses to be used for reverse DNS resolution.