[Lesson 2]Network Vulnerability and Scanning: Nmap Ping Scan in Nmap
Continue back from lesson 1 about the Nmap Introduction. Here, we will dive into the command for the Nmap to perform scanning on the network. One of the first steps in any network reconnaissance tasks is to reduce the a set of IP ranges into a list of active hosts. The action for scanning every part of single IP address is slow and usually unnecessary.
Nmap Ping Scan = No Port Scan (-sn|-sP)
- Detecting Live hosts — only print out the available hosts that responded to the host discovery probes
- In the No Port Scan option, the -sn which is referred as null scan and previously known as -sP in previous releases. This option tells Nmap not to do a port scan after host discovery,and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”.
- The system administrators often find this option valuable as it can easily be used to find out how many available machines on the network or monitor server availability.
- This is often called as ping sweep which is more reliable than pinging the broadcast address. This is because many hosts do not reply to the broadcast queries.
2. nmap -sn> Default Behavior for Privileged User (ICMP echo request, SYN->TCP 443 port, ACK->TCP 80 port, ICMP timestamp request)
- The default host discovery done with -sn is executed by a privileged user, it sends an ICMP echo request, TCP SYN packet to port 443, TCP ACK packet to port 80 and an ICMP timestamp request by default.
3. nmap -sn>Default Behavior for Unprivileged User (SYN=> TCP 80,443 ports)
- When executed by an unprivileged user, only SYN packets are sent to ports 80 and 443 on the target.
4. “ARP scan” in local networks (Unless send IP was specified)
- When a privileged user tries to scan targets on local Ethernet network, ARP requests are used unless send IP was specified.
Hands on Practice: Nmap Ping Scan (No Port Scan) Mode
- Lets’s perform the first Nmap Scans of this lesson using ping scan which also know as no port scan. By the way, Nmap is embedded in Kali and we can run Nmap by just typing “nmap” in the terminal. Then, we will get the help page of Nmap. You can also look into the details of nmap with command “man nmap”.
Before that, run the metasploitable machine and obtain the IP address(10.0.2.4):
Let’s start with a simple nmap command to perform ping scan:
- Here, the nmap command is first added. Next, the scan types(-sn) and the IP address range is also added. Note that the order of the parameters is not important but need to start with command “nmap”.
- The IP address entered is 10.0.2.0/24. This means that the IP addresses between 10.0.2.0 and 10.0.2.255 are scan by the nmap.
- In the figure above, we found few IP address in the results that is up. This means that these are the systems that responded to our request.
- Remember the previous section where we discuss about the nmap -sn. Our requests is ICMP echo, SYN for port 443, ACK for port 80 and ICMP timestamp requests if the user is privileged.
- In the results, we can observe that the IP address/domain name is spread across the line. In most of the cases, we would want to have the IP addresses of the hosts as a list for the ease of further scans.
How to get the IP address of the live systems? The answer is with the grep tool and cut tool in Linux.
- Use the grep tools to select the line that have the IP address. This is to grab the line that have the word Nmap scan
- Next, use the cut tool to remove the blank space in front of the IP address with the delimiter(-d“ ”) and the field(-f) of 5 to retain the IP address.
Thanks for reading…
