top of page
  • Writer's pictureRohit Panoria

Network Enumeration with Nmap-Part 1: Intro to Nmap and Host Discovery.

Updated: Apr 8, 2023



Nmap (Network Mapper) is a free and open-source network scanning tool that is used to discover hosts and services on a computer network, as well as create a "map" of the network topology.

It was first released in 1997 and has since become one of the most widely used network scanning tools available.


Table of Contents:

1. Intro to Nmap

2. Host Discovery

3. Host and Port Scanning

4. Saving the Result

5. Service Enumeration

6. Nmap Script Engine

7. Performance

8. Firewall and IDS/IPS Evasion


Intro to Nmap

Nmap is a powerful and popular network exploration and security auditing tool written in C, C++, Python, and Lua.

It is designed to scan networks and identify which hosts are available on the network using raw packets, and services and applications, including the name and version, where possible. It can also identify the operating systems and versions of these hosts. Besides other features, Nmap also offers scanning capabilities that can determine if packet filters, firewalls, or intrusion detection systems (IDS) are configured as needed. It is flexible, easy to use, and scriptable, with support for a wide variety of operating systems and network protocols.


Nmap can be used to perform a variety of tasks, including:

  1. Host discovery: Nmap can be used to identify hosts on a network that are alive and responding to network requests.

  2. Port scanning: Nmap can be used to scan a host to determine which ports are open, closed, or filtered.

  3. Operating system detection: Nmap can be used to determine the operating system running on a target host based on the responses it receives from various network probes.

  4. Service detection: Nmap can be used to identify the services running on a target host and their associated ports.

  5. Vulnerability scanning: Nmap can be used to scan a network for potential vulnerabilities by identifying open ports and services that may be exploitable.

Nmap is a command-line tool that can be used on various operating systems, including Windows, Linux, and macOS. It can be run from a terminal or command prompt and supports a wide range of scanning options and techniques.


Some of the most common Nmap scanning techniques include:

  1. TCP SYN Scan: This is the most popular and default scanning technique used by Nmap, which sends an SYN packet to the target host to see if the port is open or closed.

  2. TCP Connect Scan: This scanning technique attempts to connect to the target host and send a TCP handshake. If the host responds with an SYN-ACK packet, the port is considered open.

  3. UDP Scan: This scanning technique is used to identify open UDP ports on a target host.

  4. OS Detection: Nmap can identify the operating system running on a target host by sending various probes and analyzing the responses.

Nmap also supports various output formats, including plain text, XML, and HTML, and can be used in conjunction with other tools and scripts to automate scanning and analysis tasks. Overall, Nmap is a powerful network scanning tool that is widely used by network administrators, security professionals, and hackers alike to identify hosts, services, and vulnerabilities on a computer network.


Use Cases

The tool is one of the most used tools by network administrators and IT security specialists. It is used to:

• Audit the security aspects of networks

• Simulate penetration tests

• Check firewall and IDS settings and configurations

• Types of possible connections

• Network mapping

• Response analysis

• Identify open ports

• Vulnerability assessment as well.


Nmap Architecture

Nmap is a network exploration and security auditing tool that uses a modular architecture to support a wide range of scanning techniques and features. Here are the key components of the Nmap architecture:

  1. Nmap Scripting Engine (NSE): NSE is a scripting engine that allows users to write and run custom scripts to automate scanning tasks and customize scan results. The scripts are written in Lua programming language and are executed during the scanning process.

  2. Packet Generation Engine: The Packet Generation Engine is responsible for generating and sending packets to target hosts. It supports a wide range of packet types, including TCP, UDP, ICMP, and IP.

  3. Timing and Performance Engine: This component is responsible for controlling the timing and performance of scans. It includes features such as parallelization, timing options, and host discovery techniques.

  4. Host Discovery Engine: The Host Discovery Engine is responsible for discovering and mapping hosts on a network. It uses techniques such as ARP scanning, ICMP pinging, and reverse-DNS resolution to identify hosts.

  5. Port Scanning Engine: The Port Scanning Engine is responsible for scanning ports on target hosts. It supports a wide range of scanning techniques, including TCP SYN scanning, TCP connect scanning and UDP scanning.

  6. Output Engine: The Output Engine is responsible for displaying and saving the results of the scan. It supports a wide range of output formats, including plain text, XML, and HTML.

Overall, The modular architecture of Nmap allows users to customize and extend the tool to support their specific needs and use cases. By using the different components and features of Nmap effectively, users can gain a better understanding of the networks and systems they're scanning and identify potential vulnerabilities before they can be exploited.

Nmap offers many different types of scans that can be used to obtain various results about our targets. Nmap can be divided into the following scanning techniques:

• Host discovery

• Port scanning

• Service enumeration and detection

• OS detection

• Scriptable interaction with the target service (Nmap Scripting Engine)

Nmap Scan Techniques

Nmap is a powerful and versatile network scanning tool that supports a wide range of scanning techniques. Here are some of the most commonly used Nmap scanning techniques:

  1. TCP SYN Scan: This is the default and most popular scanning technique used by Nmap. It sends an SYN packet to the target host to see if the port is open or closed. This technique is fast and stealthy, as it doesn't complete the TCP connection.

  2. TCP Connect Scan: This scanning technique attempts to connect to the target host and send a TCP handshake. If the host responds with an SYN-ACK packet, the port is considered open. This technique is more reliable than the SYN scan, but it is also slower and more visible.

  3. UDP Scan: This scanning technique is used to identify open UDP ports on a target host. UDP scans are typically slower and less reliable than TCP scans, as UDP doesn't provide the same level of feedback as TCP.

  4. Operating System Detection: Nmap can identify the operating system running on a target host by sending various probes and analyzing the responses. This technique can be useful for identifying potential vulnerabilities and tailoring your scans to specific operating systems.

  5. Service Detection: Nmap can identify the services running on a target host and their associated ports. This can be useful for identifying potential vulnerabilities and understanding the configuration of the target system.

  6. Version Detection: Nmap can identify the version numbers of the services running on a target host. This can be useful for identifying potential vulnerabilities and understanding the configuration of the target system.

  7. Script Scanning: Nmap can run custom scripts to perform specific tasks, such as vulnerability testing or service enumeration. This technique can be very powerful, but it requires some knowledge of scripting and can be more time-consuming than other scanning techniques.

Overall, Nmap provides a wide range of scanning techniques that can be tailored to specific targets and scenarios. By understanding these techniques and using them effectively, you can gain a better understanding of the networks and systems you're scanning and identify potential vulnerabilities before they can be exploited.


Use Cases

Nmap offers many different scanning techniques, making different types of connections and using differently structured packets to send. Here we can see all the scanning techniques Nmap offers:

Rpstark@securesect[/]$ nmap --help
<SNIP>
SCAN TECHNIQUES:
 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
 -sU: UDP Scan
 -sN/sF/sX: TCP Null, FIN, and Xmas scans
 --scanflags <flags>: Customize TCP scan flags
 -sI <zombie host[:probeport]>: Idle scan
 -sY/sZ: SCTP INIT/COOKIE-ECHO scans
 -sO: IP protocol scan
 -b <FTP relay host>: FTP bounce scan
<SNIP>

For example, the TCP-SYN scan (-sS) is one of the default settings unless we have defined otherwise, and is also one of the most popular scan methods. This scan method makes it possible to scan several thousand ports per second. The TCP-SYN scan sends one packet with the SYN flag and, therefore, never completes the three-way handshake, which results in not establishing a full TCP connection to the scanned port.

  • If our target sends an SYN-ACK flagged packet back to the scanned port, Nmap detects that the port is open

  • If the packet receives an RST flag, it is an indicator that the port is closed

  • If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall. Let us take an example of such a scan.

Rpstark@securesect[/]$ sudo nmap -sS localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 22:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5432/tcp open postgresql
5901/tcp open vnc-1

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

In this example, we can see that we have four different TCP ports open. In the first column, we see the number of the port. Then, in the second column, we see the service's status and then what kind of service it is.


Host Discovery

Nmap provides several host discovery techniques that can be used to identify hosts on a network. Here are some of the most commonly used host discovery techniques in Nmap:

  1. Ping Scan: This technique sends an ICMP Echo Request packet to the target hosts and waits for a response. If a response is received, the host is considered to be up.

  2. TCP Syn Scan: This technique sends a TCP SYN packet to the target host and waits for a response. If a response is received, the host is considered to be up.

  3. TCP Ack Scan: This technique sends a TCP ACK packet to the target host and waits for a response. If a response is received, the host is considered to be up.

  4. UDP Scan: This technique sends a UDP packet to the target host and waits for a response. If a response is received, the host is considered to be up.

  5. ARP Scan: This technique uses the Address Resolution Protocol (ARP) to discover hosts on a local network. It sends an ARP request to the broadcast address and waits for responses from all hosts on the network.

  6. IP Protocol Scan: This technique sends IP packets with different protocols to the target host and waits for responses. If a response is received, the host is considered to be up.

Overall, Nmap provides several host discovery techniques that can be used to identify hosts on a network. By using these techniques effectively, users can gain a better understanding of the networks they are scanning and identify potential targets for further scanning and analysis.


When we need to conduct an internal penetration test for the entire network of a company, for example, then we should, first of all, get an overview of which systems are online that we can work with. To actively discover such systems on the network, we can use various Nmap host discovery options. There are many options Nmap provides to determine whether our target is alive or not. The most effective host discovery method is to use ICMP echo requests, which we will look into.


It is always recommended to store every single scan. This can later be used for comparison, documentation, and reporting. After all, different tools may produce different results. Therefore it can be beneficial to distinguish which tool produces which results.


Scan Network Range

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.0/24 -sn -oA nmap_initial_scan | grep for | cut -d" " -f5
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

Scanning Options

Description

10.129.2.0/24

Target network range.

-sn

Disables port scanning.

-oA nmap_initial_scan

Stores the results in all formats starting with the name 'nmap_initial_scan'.

This scanning method works only if the firewalls of the hosts allow it. Otherwise, we can use other scanning techniques to find out if the hosts are active or not. We will take a closer look at these techniques in "Firewall and IDS Evasion".


Scan IP List

During an internal penetration test, it is not uncommon for us to be provided with an IP list of the hosts we need to test. Nmap also gives us the option of working with lists and reading the hosts from this list instead of manually defining or typing them in.

Such a list could look something like this:

Rpstark@securesect[/securesect]$ cat hosts.lst
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

If we use the same scanning technique on the predefined list, the command will look like this:

Rpstark@securesect[/securesect]$ sudo nmap -sn -oA nmap_initial_scan -iL hosts.lst | grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20

Scanning Options

Description

-sn

Disables port scanning.

-oA nmap_initial_scan

Stores the results in all formats starting with the name

-iL

Performs defined scans against targets in provided 'hosts.lst' list.

In this example, we see that only 3 of 7 hosts are active. Remember, this may mean that the other hosts ignore the default ICMP echo requests because of their firewall configurations. Since Nmap does not receive a response, it marks those hosts as inactive.


Scan Multiple IPs

It can also happen that we only need to scan a small part of a network. An alternative to the method we used last time is to specify multiple IP addresses.

Rpstark@securesect[/securesect]$ sudo nmap -sn -oA nmap_initial_scan 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20

If these IP addresses are next to each other, we can also define the range in the respective octet.

Rpstark@securesect[/securesect]$ sudo nmap -sn -oA nmap_initial_scan 10.129.2.18-20| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20


Scan Single IP

Before we scan a single host for open ports and its services, we first have to determine if it is alive or not. For this, we can use the same method as before.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.18 -sn -oA host 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
Nmap scan report for 10.129.2.18
Host is up (0.087s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Scanning Options

Description

10.129.2.18

Performs defined scans against the target.

-sn

Disables port scanning.

-oA host

Stores the results in all formats starting with the name 'host'.

If we disable port scan (-sn), Nmap automatically pings scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive. The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option. To ensure that ICMP echo requests are sent, we also define the option (-PE) for this.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up (0.023s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Scanning Options

Description

10.129.2.18

Performs defined scans against the target.

-sn

Disables port scanning.

-oA host

Stores the results in all formats starting with the name 'host'.

-PE

Performs the ping scan by using 'ICMP Echo requests' against the target.

--packet-trace

Shows all packets sent and received

Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.18 -sn -oA host -PE --reason 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up, received arp-response (0.028s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Scanning Options

Scanning Options

10.129.2.18

Performs defined scans against the target.

-sn

Disables port scanning.

-oA host

Stores the results in all formats starting with the name 'host'.

-PE

Performs the ping scan by using 'ICMP Echo requests' against the target.

--packet-trace

Shows all packets sent and received

--reason

Displays the reason for specific result.

We see here that Nmap does indeed detect whether the host is alive or not through the ARP request and ARP reply alone. To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option. Then we can scan our target again and look at the packets sent and received.

Rpstark@securesect[/securesect]$ sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

An ICMP echo request can help us determine if our target is alive and identify its system. More strategies about host discovery can be found at:


For the Second Part: Network Enumeration with Nmap-Part 2: Host and Port Scanning. Please refer to below link:


Please follow us!

We respect your knowledge and ideas. Please feel free to contact us at securesect@outlook.com, Our team stands ready to make corrections and enhancements.


Rohit Panoria

@Security Researcher and Consultant


References:


54 views0 comments

Comments


bottom of page