nmap for network discovery

Do you know what is running on your network?

Nmap - Basics
Network MAPper is an open source tool for network exploration. Security conscious use it for security audits as well. Mainly used for network inventory, monitoring hosts and more.

Nmap Basics cont

Which means you can find out
Which computers or hosts are up and running. What operating systems are they running. This includes the version of the OS as well. What services are they running or in other words which ports are in listening mode. It can detect versions as well. What type of packet filters or firewalls are in use.

What is Host Discovery?

Before you can do any kind of inventory or even a security audit you need to know what is running on the network. Host discovery is the number of commands you can run with nmap to automate this job. Basic command to try
nmap PR 172.16.1.0/24 Nmap sL 172.16.1.0/24 // Kind of redundant. nmap sP 172.16.1.0/24
Add n R to speed it up

Anatomy of a nmap command

nmap A mybigserver p 21,22,23,80,443 Start with type of scan
-A will do OS detection and version detection Mybigserver is a host name. It can be an IP or a network address with mask. For example
192.168.1.1 is same as 192.168.1.1/32 192.168.1.0/24 // Scan a class C ip network

With P we can specify exact ports to scan for

So lets do host discovery

If you dont pass any host discovery options the following is done by nmap
A TCP ACK packet to port 80 An ICMP echo request query If the host is in the local network an ARP scan is done. So PA and PE are always executed unless explicitily

So lets do host discovery

List Scan
This will simply list all the hosts in the network. It will try to do a reverse domain lookup for the hosts.
nmap sL 172.16.1.1-254

No packets are sent to the target hosts. So this type of scan is not going to raise any alarms. Since this scan isnt actually interacting with the target host there is no point in adding other scan options.

Host Discovery | Ping Scan

nmap sP 192.168.1.1-254 Also called a ping sweep. This is useful for finding out the actual number of hosts running on a network. An ICMP echo request and a TCP ACK packet is sent to port 80. In local ethernet ARP requests are sent. Fails when there are firewalls/packet filtering software which drops either probes or the responses received.

Host Discovery | No pings and ports

nmap PN secrethost Dont send any ICMP packets to targets. The downside is that if you specify a network range, nmap will continue to scan each and every host regardless of it it was running or not. -PR ARP Ping
Send ARP packets for an internal network. ARP scans are more reliable than IP based scans.

A little more Host Discovery

Use --traceroute to trace a path to the host. Use --reason to see the exact packet that was received or not by nmap. This is the clever bit that nmap uses to figure out if a particular port is listening or not. Use n to not do DNS resolution. Use --dns-servers to specify your own DNS servers and not use the system DNS

So Whats Next?
Depends on you. Host Discovery is a common thing that all three types of nmap users do.
Network Admins To do network inventory Sercurity Auditors To see what exactly is listening in the network and what versions Script Kiddies To scan the hell out of hosts that are up and running. L33t hack0rz To learn how to learn more about the network you want to pwn without raising any alarms.

So Whats Next? Cont..

Depending on which user you are you might want to do the following
Make your scans faster Avoid detection by Firewalls/IDS/IPS systems Use decoy IPs to hide your tracks Use ndiff to see what has changed in your network. Learn all different types of port scans and when to use what. ( Best reference man nmap )

Things I didnt cover

Nmap Scripting Engine NSE OS detection theory Timing and Performance Evading Firewalls / Spoofing Reporting
By default you can get three types of reports. Some NSE script add functionality to save the output to databases as well.

Nmap Awesome Tool

Hope you know a little more about using nmap. Happy Scanning <evil grin>
nmap -v -iR 100000 -PN -p 22

Read man nmap. This entire presentation is from there. Buy the book. NMAP Network Scanning by Gordon Fyodor Lyon