Introduction
- Nmap uses different approaches to discover live hosts. In particular they are-
- ARP Scan : This scan uses ARP requests to discover live hosts
- ICMP Scan : This scan uses ICMP requests to identify live hosts
- TCP/UDP ping Scan: This scan sends packets to TCP ports and UDP ports to determine live hosts.
Subnetwork
- Network Segment: It is a group of computers connected using a shared medium. The medium can be the Ethernet switch or WiFi access point.
- Subnetwork: It is usually the equivalent of one or more network segments connected together and configured to use the same router. The network segment refers to a physical connection, while a subnetwork refers to a logical connection.
- The above figure has two types of subnets ( subnets with /16 which means that the subnet mask can be written as 255.255.0.0 and subnets with /24 which means that the subnet mask can be written as 255.255.255.0 )
Enumerating Targets
- We can provide a file as a input for our list of targets to nmap, using the command -
nmap -iL list_of_hosts.txt
- If we want to check the list of hosts that Nmap will scan, we can use -
nmap -sL TARGETS
- Nmap attempts a reverse-DNS resolution on all the targets to obtain their names.
- For no reverse DNS resolution, we can add the flag
-n
Nmap Host Discovery using ARP
- If a privileged user tries to scan targets on a local network ( Ethernet ) , Nmap uses ARP requests.
- If a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.
- If an unprivileged user tries to scan targets outside the local network, Nmap uses 3-way handshake method sending SYN packets to ports 80 and 443.
- Nmap by default uses a ping scan to find live hosts and then proceed with scanning live hosts only.
- If we want Nmap to discover only live hosts without port scanning then we can use -
nmap -sn targets
- ARP scan is possible if the attacker and the target system, both are on the same subnet.
- To make Nmap perform only ARP scan without port-scanning, use -
nmap -PR -sn targets