Discovery Options - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 3: Discovery Options

Overview

Before port scanning a target, Nmap will attempt to send ICMP echo requests to see if the host is “alive.” This can save time when scanning multiple hosts as Nmap will not waste time attempting to probe hosts that are not online. Because ICMP requests are often blocked by firewalls, Nmap will also check TCP ports 80 and 443 since these common web server ports are often open (even if ICMP is not).

The default discovery options aren’t always useful when scanning secured systems. The following section describes alternative methods for host discovery that allow you to perform custom discovery pings when looking for available targets.

Summary of features covered in this section:

-Pn (formerly –PN)
Don’t Ping

-sn (formerly -sP)
Perform a Ping Only Scan

-PS
TCP SYN Ping

-PA
TCP ACK Ping

-PU
UDP Ping

-PE
ICMP Echo Ping

-PP
ICMP Timestamp Ping

-PM
ICMP Address Mask Ping

-PO
IP Protocol Ping

-PR
ARP Ping

--traceroute
Traceroute

-n
Disable Reverse DNS Resolution

--system-dns
Alternative DNS Lookup

--dns-servers
Manually Specify DNS Server(s)

-sL
Create a Host List

Don’t Ping

By default, before Nmap attempts to scan a system for open ports it will first ping the target to see if it is online. This feature helps save time when scanning as it causes targets that do not respond to be skipped.

$ nmap 10.10.5.139

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:06 CST

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

Results of an Nmap scan where the target system is not pingable

In the above example the specified target is not scanned because it does not respond to Nmap’s pings. The -Pn option instructs Nmap to skip the default discovery check and perform a complete port scan on the target. This is useful when scanning systems that are protected by a firewall that blocks ping probes.

Usage syntax: nmap -Pn [target]

$ nmap -Pn 10.10.5.139

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:07 CST

Nmap scan report for 10.10.5.139

Host is up (0.0020s latency).

Not shown: 997 filtered ports

PORT STATE SERVICE

135/tcp open msrpc

5800/tcp open vnc-http

5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds

Output of a Nmap scan with ping discovery disabled

By specifying the -Pn option on the same target, Nmap is able to produce a list of open ports on the un-pingable system.

Note: The -Pn option was -PN in Nmap version 5 and earlier. It was renamed for consistency.

Ping Only Scan

The -sn option is used to perform a simple ping of the specified target (without scanning any ports).

Usage syntax: nmap -sn [target]

$ nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:12 CST

Nmap scan report for 192.168.1.1

Host is up (0.0017s latency).

Nmap scan report for 192.168.1.5

Host is up (0.0011s latency).

Nmap scan report for 192.168.1.100

Host is up (0.0020s latency).

Nmap scan report for 192.168.1.101

Host is up (0.010s latency).

Nmap scan report for 192.168.1.105

Host is up (0.0011s latency).

Nmap scan report for 192.168.1.109

Host is up (0.0011s latency).

Nmap scan report for 192.168.1.111

Host is up (0.000066s latency).

Nmap done: 256 IP addresses (7 hosts up) scanned in 2.32 seconds

Output of a ping only scan

The -sn option is useful when you want to perform a quick search of the target network to see which hosts are online without actually scanning the systems for open ports. In the above example, all valid addresses in the 192.168.1.0/24 subnet are pinged and results from responding hosts are displayed.

When scanning a local network, you can execute Nmap with root privileges for additional ping functionality. When doing this, the -sn option will perform an ARP ping and return the MAC addresses of the discovered system(s).

Note: This is the default behavior on Windows systems.

$ sudo nmap -sn 192.168.1.0/24

[sudo] password for nick: ******

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:14 CST

Nmap scan report for 192.168.1.1

Host is up (0.00075s latency).

MAC Address: 6C:70:9F:D6:2D:94 (Apple)

[...]

Nmap done: 256 IP addresses (7 hosts up) scanned in 1.80 seconds

Output of a ping only scan (as root)

Note: The -sn option was -sP in Nmap version 5 and earlier. It was renamed for consistency.

TCP SYN Ping

The -PS option performs a TCP SYN ping.

Usage syntax: nmap -PS[port1,port1,etc] [target]

# nmap -PS 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:14 CST

Nmap scan report for 10.10.3.1

Host is up (0.045s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

Performing a TCP SYN ping

The -PS options sends an SYN packet to the target system and listens for a response. A SYN packet is the first part of what's known as a TCP three-way handshake. Any system with an open or unfiltered TCP port will respond to this type of probe. This alternative discovery method is useful for systems that are configured to block standard ICMP pings.

Note: The default port for -PS is 80, but others can be specified using the following syntax: nmap -PS22,25,80,443,etc. This can be useful for trying to solicit a response from a system that is filtering port 80.

TCP ACK Ping

The -PA performs a TCP ACK ping on the specified target.

Usage syntax: nmap -PA[port1,port1,etc] [target]

$ nmap -PA 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:15 CST

Nmap scan report for 10.10.3.1

Host is up (0.055s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

Performing a TCP ACK ping

The -PA option causes Nmap to send TCP ACK packets to the specified hosts. This method attempts to discover hosts by appearing to respond to TCP connections that don’t actually exist in an attempt to solicit a response from the target. Like other ping options, it is useful in situations where standard ICMP pings are blocked.

Note: The default port for -PA is 80, but others can be specified using the following syntax: nmap -PA22,25,80,443,etc.

UDP Ping

The -PU option performs a UDP ping on the target system.

Usage syntax: nmap -PU[port1,port1,etc] [target]

# nmap -PU 10.10.4.59

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:18 CST

Nmap scan report for 10.10.4.59

Host is up (0.0023s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

161/tcp open snmp

515/tcp open printer

9100/tcp open jetdirect

9200/tcp open wap-wsp

Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds

Performing a UDP ping

This discovery method sends UDP packets in an attempt to solicit a response from a target. While most firewalled systems will block this type of connection, some poorly configured systems may allow it if they are only configured to filter TCP connections.

Note: The default port for -PU is 40125. Others can be specified by using the following syntax: nmap -PU22,25,80,443,etc.

ICMP Echo Ping

The -PE option performs an ICMP (Internet Control Message Protocol) echo ping on the specified system.

Usage syntax: nmap -PE [target]

# nmap -PE 10.10.4.59

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:23 CST

Nmap scan report for 10.10.4.59

Host is up (0.0028s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

161/tcp open snmp

515/tcp open printer

9100/tcp open jetdirect

9200/tcp open wap-wsp

Nmap done: 1 IP address (1 host up) scanned in 3.53 seconds

Performing an ICMP echo ping

The -PE option sends a standard ICMP ping to the target to see if it replies. This type of discovery works best on local networks where ICMP packets can be transmitted with few restrictions. Many internet hosts, however, are configured not to respond to ICMP packets for security reasons.

Note: The -PE option is automatically implied if no other ping options are specified.

ICMP Timestamp Ping

The -PP option performs an ICMP timestamp ping.

Usage syntax: nmap -PP [target]

# nmap -PP 10.10.4.59

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:24 CST

Nmap scan report for 10.10.4.59

Host is up (0.0029s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

161/tcp open snmp

515/tcp open printer

9100/tcp open jetdirect

9200/tcp open wap-wsp

Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds

Performing an ICMP timestamp ping

While most firewalled systems are configured to block ICMP echo requests, some improperly configured systems may still reply to ICMP timestamp requests. This makes the -PP option useful when attempting to solicit responses from firewalled targets.

ICMP Address Mask Ping

The -PM option performs an ICMP address mask ping.

Usage syntax: nmap -PM [target]

# nmap -PM 10.10.4.59

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:25 CST

Nmap scan report for 10.10.4.59

Host is up (0.0036s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

161/tcp open snmp

515/tcp open printer

9100/tcp open jetdirect

9200/tcp open wap-wsp

Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds

Performing an ICMP address mask ping

This unconventional ICMP query (similar to the -PP option) attempts to ping the specified host using alternative ICMP registers. This type of ping can occasionally sneak past a firewall that is configured to only block standard echo requests.

IP Protocol Ping

The -PO option performs an IP protocol ping.

Usage syntax: nmap -PO[protocol1,protocol2,etc] [target]

# nmap -PO1 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 10:28 CST

Nmap scan report for 10.10.3.1

Host is up (0.14s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 17.74 seconds

Performing an IP protocol ping

An IP protocol ping sends packets with the specified protocol to the target. If no protocols are specified, the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP) are used. To ping using a custom set of protocols, use nmap -PO1,2,4,etc. This type of ping can sometimes get a target to respond with ICMP unreachable messages if the type of protocol used is not supported.

Note: A complete list of Internet Protocol numbers can be found online at iana.org/assignments/protocol-numbers.

ARP Ping

The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target.

Usage syntax: nmap -PR [target]

# nmap -PR 10.10.4.59

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:31 CST

Nmap scan report for 10.10.4.59

Host is up (0.0077s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

161/tcp open snmp

515/tcp open printer

9100/tcp open jetdirect

9200/tcp open wap-wsp

MAC Address: 00:10:40:57:80:17 (Intermec)

Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds

Performing an ARP ping

The -PR option is automatically implied when scanning the local network with root access. This type of discovery is much faster than the other ping methods described in this guide. It also has the added benefit of being more accurate because LAN hosts can’t block ARP requests (even if they are running a firewall) since it is an essential feature of ethernet networks. As shown above, the ARP ping will also display the MAC address of the target system.

Note: ARP scans cannot be performed on targets that are not on your local subnet. On Linux systems you must use root privileges for ARP scans to work properly. The -PR option is technically redundant because it is the default type of ping on LANs. Interestingly, Nmap will silently override all other discovery options when scanning the local network. If you really want to experiment with the other discovery options on a LAN you must use the --disable-arp-ping option.

Traceroute

The --traceroute parameter can be used to trace the network path to the specified host.

Usage syntax: nmap --traceroute [target]

# nmap --traceroute scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 20:47 CST

[...]

TRACEROUTE (using port 587/tcp)

HOP RTT ADDRESS

1 5.00 ms 192.168.1.1

2 14.00 ms 10.33.112.1

3 14.00 ms 70.183.70.198

4 25.00 ms 70.183.71.104

5 24.00 ms 70.183.71.104

6 43.00 ms wichsysr02.rd.ks.cox.net (70.183.71.8)

7 54.00 ms 68.1.2.109

8 39.00 ms v209.core1.dal1.he.net (184.105.16.77)

9 91.00 ms 10ge9-1.core3.fmt2.he.net (72.52.92.153)

10 85.00 ms router4-fmt.linode.com (64.71.132.138)

11 82.00 ms scanme.nmap.org (74.207.244.221)

Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds

Output of a traceroute scan

The --traceroute option performs a trace of routes used to reach the specified target. Each router or "HOP" along the way is displayed along with the round trip time (RTT). Nmap will also attempt to perform a reverse DNS lookup and display any responses, which can reveal interesting information about the routers between you and the destination.

The information displayed is similar to the traceroute or tracepath commands found on Unix and Linux systems (Windows uses tracert). Nmap has the added bonus of its tracing being functionally superior to these commands because it is generally much faster and more accurate than other route tracing programs.

Disable Reverse DNS Resolution

The -n parameter is used to disable reverse DNS lookups.

Usage syntax: nmap -n [target]

$ nmap -n 74.207.244.221

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 09:36 CST

Nmap scan report for 74.207.244.221

Host is up (0.059s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

Output of an Nmap scan with reverse DNS disabled

Reverse DNS can significantly slow the performance of an Nmap scan. Using the -n option can greatly reduce scanning times – especially when scanning a large number of hosts. This option is useful if you don’t care about the DNS information for the target system and prefer to perform a scan that produces faster results. In the example above, the -n option prevents Nmap from attempting to resolve the specified IP address.

Alternative DNS Lookup Method

The --system-dns option instructs Nmap to use the host system’s DNS resolver instead of its own internal method.

Usage syntax: nmap --system-dns [target]

# nmap --system-dns scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:07 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.12s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds

Output of an Nmap scan using the system DNS resolver

This option is rarely used because it is much slower than the default method. It can, however, be useful when troubleshooting DNS problems with Nmap.

Note: The system resolver is always used for IPv6 scans.

Manually Specify DNS Server(s)

The --dns-servers option is used to manually specify DNS servers to be queried when scanning.

Usage syntax: nmap --dns-servers [server1,server2,etc] [target]

# nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:08 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.43s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds

Manually specifying DNS servers

Nmap’s default behavior will use the DNS servers configured on your local system for name resolution. The --dns-servers option allows you to specify one or more alternative servers for Nmap to query. This can be useful for systems that do not have DNS configured or if you want to prevent your scan lookups from appearing in your locally configured DNS server’s log file.

Create a Host List

The -sL option performs a reverse DNS lookup of the specified IP addresses.

Usage syntax: nmap -sL [target]

$ nmap -sL 8.8.4.4 8.8.8.8 74.207.244.221

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 10:47 CST

Nmap scan report for google-public-dns-b.google.com (8.8.4.4)

Nmap scan report for google-public-dns-a.google.com (8.8.8.8)

Nmap scan report for scanme.nmap.org (74.207.244.221)

Nmap done: 3 IP addresses (0 hosts up) scanned in 0.00 seconds

Output of a host list generated by Nmap

The -sL scan does not send any packets to the target systems. Instead, it performs a reverse DNS lookup of the specified IP addresses. The above scan shows the results of the reverse lookup for the specified systems. Many DNS names can reveal interesting information about an IP address, including what it’s used for or where it is located.