Post

Nmap

Introduction

Live host discovery is crucial as going directly into port scanning can waste time and create unnecessary noise if trying to scan offline systems.

Host discovery cheatsheet Commands related with Live Host Discovery

Host discovery

When no host discovery options are set, nmap follows the approaches shown below (in that order):

UserNetworkMethod(s)
PrivilegedLANARP requests
PrivilegedWANICMP echo, TCP ACK (80), TCP SYN (443), ICMP timestamp
UnprivilegedWANTCP 3-way handshake via TPC SYN (80, 443)

To confirm nmap’s behaviour with and without the use of a privileged account, we can trying scanning a random IP address from the same subnet as ours:

Using ifconfig command to find our IP address Using ifconfig to note down our IP address

Default host discovery scan with and without sudo Default Live Host Discovery scan with and without the use of a privilieged account

When we execute the command without sudo, it skips both the ARP and ICMP scans, and goes straight for a full TCP scan. However, when we use sudo it performs an ARP scan as expected, since the target host is on the same subnet as us.

If we gain an initial foothold with a low-privileged user on a target host and we try to enumerate the network from within using nmap, it will use a full TCP scan which will generate a lot of traffic and probably a system alert.

ARP scan

Requirements:

  1. Privileged account.
  2. Same subnet.

Schematic diagram of an ARP request. Schematic diagram of an ARP request

ICMP echo scan

Requirements:

  1. Privileged account.

If the target is on the same subnet, an ARP request will precede the ICMP echo request. We can disable ARP requests using --disable-arp-ping.

Schematic diagram of an ICMP echo request. Schematic diagram of an ICMP echo request

New Windows versions as well as many firewalls block ICMP echo requests by default:

Windows Defender Inbound rules. Windows Defender Inbound rules related to the ICMPIPv4 protocol

ICMP echo blocked. ICMP echo requests not allowed

ICMP echo permitted. ICMP echo requests permitted

To see what happens in practice, we can scan a live host residing on a different subnet:

Packet tracing during an ICMP echo request Packet tracing during an ICMP echo request

Reason that hosts is up on ICMP echo request Reasoning of why nmap marked the host as alive after an ICMP echo request

We see that nmap sent an ICMP echo request and it received an ICMP echo reply back, thus, it marked the host as online. If we try to replicate that for a host that is not up, nmap will send two ICMP echo requests before it gives up and mark the host as offline. The second is just making sure that nothing went wrong with the first one:

Packet tracing of a dead host after an ICMP echo request Packet tracing of a dead host with an ICMP echo request

The TTL (time-to-live) value can helps us in identifying the target OS. The default initial TTL value for Linux/Unix is 64, and TTL value for Windows is 128.

ttl value of 63 for Linux TTL value of 63 pointing towards a Linux OS

ttl value of 127 for Windows TTL value of 127 pointing towards a Windodws OS

As ICMP echo requests tend to be blocked, we can consider sending an ICMP Timestamp (-PP) or an ICMP Address Mask (-PM) request, and expect for a Timestamp or an Address Mask reply, respectively.

TCP scans

TCP full scan

Unprivileged users can only scan using the full TCP 3-way handshake method.

TCP 3-way handshake scan. Schematic diagram of a full TCP 3-way handshake scan

That’s is how the process looks like:

TCP 3-way handshake scan with packet trace. Packet tracing of a full TCP 3-way handshake scan

TCP 3-way handshake scan with reason. Reasosing of a live host after a full TCP 3-way handshake scan

TCP SYN scan

Requirements:

  1. Privileged account.

Privileged users don’t need to complete the TCP 3-way handshake even if the port is open (TCP SYN scan), but unprivileged ones have no choice but wait for its completion (TCP full scan).

TCP SYN scan diagram. Schematic diagram of a TCP SYN scan

TCP SYN scan packet tracing. Packet tracing of a TCP SYN scan

TCP ACK

TCP ACK scan diagram. Schematic diagram of a TCP ACK scan

As we can see below, since the reset flag was received, nmap marked the host as alive:

TCP ACK scan packet tracing. Packet tracing of a TCP ACK scan

TCP ACK scan reasoning. Reasosing of a live host after a TCP ACK scan

Footnote

  1. The majority of the material comes from TryHackMe’s Nmap and HackTheBox’s Network Enumeration with Nmap modules.
  2. The scan diagrams come exclusively from TryHackMe’s Nmap module.
This post is licensed under CC BY 4.0 by the author.