Nmap has become one of the most popular tools in network scanning by leaving other scanners behind. Many times, network administrators secure hosts in some organizations using firewalls or intrusion prevention systems. However, these security measures can sometimes block scanning attempts due to the preset rules used to filter network traffic. In Nmap, a pentester can easily make use of alternate host discovery techniques to prevent this from happening. It consists of certain features that make the network traffic a little less suspicious. Hence, let us look at various techniques of Host Discovery.

Table of Content

• Ping Sweep ( No port scan)
• Disable-arp-ping
• Send-ip
• TCP Flags
• Types of Scans
• TCP SYN Ping Scan
• TCP ACK Ping Scan
• ICMP ECHO Ping Scan
• ICMP ECHO Ping Sweep
• UDP Ping Scan
• IP Protocol Ping scan
• ARP Ping Scan
• Traceroute

Ping Sweep

Let’s begin with scanning the entire network by using the Ping sweep scan (-sP).

nmap –sP 192.168.1.0/24

When you closely observe the packets in Wireshark, you will notice that network scans send only ARP packets.

Note: Working of –sP and –sn is the same.

Let us try the same by using the no port scanning (-sn) option. In this option, we are also using –packet-trace option which will enable you to see the detailed packet transfer without making use of Wireshark. Here you can observe the ARP packets being received.

nmap -sn 192.168.1.0/24 --packet-trace

Now that we have identified ARP packets in the network, we can use the –disable-arp-ping option. In this case, you will observe that four packets are sent instead.

Disable-arp-ping

To disable the ARP discovery, Nmap provides this option.

nmap -sn 192.168.1.108 --disable-arp-ping

And you will see that the ARP packets are not visible

Note: When you scan the Local Network with Nmap, Nmap sends an ARP packet with every scan. If you scan an external network, Nmap sends the following request packets when –disable-arp-ping is used:

You can also make use of –send-ip option to get the same results as in the step above.

send-ip

nmap –sn 192.168.1.108 --packet-trace --send-ip

Host Discovery is the most fundamental step in Information Gathering. It provides accurate results regarding active ports and IP addresses in a network.

TCP Flags

First, let’s get to know the basics about the communication Flags in TCP. The TCP header mainly consists of six flags that manage the connection between the systems and provide instructions to them. Each flag is of 1 bit and hence the size of TCP Flags is 6 bits. Now let us briefly understand each flag.

Types of Scans

To discover the hosts in the network, various ping scan methods can be used.

TCP SYN Ping Scan

It is a method of host discovery which helps in looking for discovering if the ports are open and to also make sure if it matches the rules of the firewall. The Pentester can hence, send an empty SYN flag to the target to check where it is alive. Multiple ports can be defined in this scan type.

The -sP command in Nmap is specifically designed for discovering online hosts. On the other hand, the SYN Ping (-PS) command sends a TCP SYN packet to specific ports. If the port is closed, the host responds with an RST packet. If the requested ports are open, the host replies with a TCP SYN/ACK, followed by a reset packet to terminate the connection.

nmap -sn -PS 192.168.1.108 --disable-arp-ping

The packets captured using Wireshark can be overserved

The advantage of TCP SYN Ping scan is that the pentester can get the active/inactive status of the host without even creating a connection and hence it does not even create a log in the system or the network.

TCP ACK Ping Scan

It is a method of host discovery that is similar to TCP SYN Ping scan, but it slightly differs. This scan also makes use of Port 80. The pentester sends an empty TCP packet to the target, and as there is no connection between them, it will receive an Acknowledgement packet and will then reset and terminate the request

Additionally, this command helps to determine how the target responds. It also checks if firewalls block the SYN packets or ICMP echo requests, as is common with many modern firewalls.

nmap -sn -PA 192.168.1.108 --disable-arp-ping

You can observe the captured packets in Wireshark here.

ICMP Echo Ping Scan

The ICMP Ping scan gathers information about target systems, making it distinct from port scanning. The pentester sends an ICMP ECHO request to the target and receives an ICMP ECHO reply in response.

nmap -sn -PE 192.168.1.108 --disable-arp-ping

The packets captured in Wireshark can be observed.

ICMP ECHO Ping Sweep

nmap -sn -PE 192.168.1-10

ICMP Address Mask Scan

It is an older method of ICMP ECHO ping scanning. It gives out the information about the system and its subnet mask.

nmap -sn -PM 192.168.1.108 --disable-arp-ping

ICMP ECHO Timestamp scan

The pentester can adopt this technique in a particular condition when the system admin blocks the regular ICMP timestamp. It is usually used in synchronization of time.

nmap -sn -PP 192.168.1.108 --disable-arp-ping

The packets captured using Wireshark can be observed.

UDP Ping Scan

The UDP Ping Scans uses a highly uncommon default port number 40125 to send packets to the target. It is similar to TCP Ping scan. The Pentester will send the UDP Packets to the target and if there is a response in return, which means that the host is alive, or else it is offline

The advantage of UDP scan is that it can detect systems that have firewalls with strict TCP rules while leaving UDP rules at ease.

nmap -sn -PU 192.168.1.108 --disable-arp-ping

You can observe the packets sent using Wireshark.

IP protocol ping scan

In this method, the pentester sends various packets using different IP protocols and hopes to get a response in return if the target is alive.

nmap -sn -PO 192.168.1.108 --disable-arp-ping

The packets captured can be observed using Wireshark.

No ping scan

In this method, host discovery is completely skipped. The pentester can use it to determine active machines for heavier scanning and to increase the speed of the network.

nmap -sn -PN 192.168.1.108 --disable-arp-ping

ARP ping scan

In this method, the system sends ARP packets to all the devices in the network, even though these devices remain invisible due to the firewall. ARP ping scans are generally considered more efficient than other host discovery methods. Moreover, they primarily focus on system discovery and also provide latency details.

nmap -sn -PR 192.168.1.108

You can see the packets being captured in Wireshark.

SCTP INIT Ping

It sends SCTP packet containing a minimal INIT chunk. Its default destination port is 80. The INIT chunk provides a suggestion to the remote system that the pentester is attempting to establish an association.

nmap -sn -PY 192.168.1.108 --disable-arp-ping

The packets that are captured can be observed.

Traceroute

Users typically perform traceroutes after finishing a scan. At this stage, you can leverage the information from the scan results to determine the port and protocol that will reach the target.

nmap -sn --traceroute 8.8.8.8

To learn more about Nmap. Follow this Link.

To get more information on Traceroute, you can refer to

Working of Traceroute using Wireshark

Reference: https://nmap.org/book/man-host-discovery.html

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here