Welcome to the second part of the Complete Nmap beginners guide and this post is on Host Discovery. One of the most important part of any reconnaissance is knowing your targets. Here's what host discovery comes into.
- -sL (list scan) - The list scan is a form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts.The list scan is a good sanity check to ensure that you have proper IP addresses for your targets. If the hosts sport domain names you do not recognize, it is worth investigating further prevent scanning the wrong company's network.
- -sn(no port or ping scan) - This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. Systems administrators often find this option valuable as well. It can easily be used to count number of hosts in a network.
- -PS<port list> (TCP SYN Ping) - This option sends an empty TCP packet with the SYN flag set. Default port is 80.
The following command will send an empty TCP packet with SYN flag set from ports 1 to 100.
- -PA<port list> (TCP ACK Ping) - The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag.Default port is 80.
The following command will send an empty TCP packet with ACK flag set from ports 1 to 100.
- -PU<port lists> (UDP Ping) - Another host discovery option is the UDP ping, which sends a UDP packet to the given port. Default port is 40125. A highly uncommon port is used because sending to open ports is often undesirable for this particular scan type. The primary advantage of this scan type is that it bypasses firewalls that only fliters TCP.
- -PE(ICMP Ping) - In addition to the unusual TCP, UDP and SCTP host discovery types discussed above, Nmap can send the standard packets sent by the ping program. Nmap sends an ICMP echo request packet to the target IP addresses, expecting a echo reply in return from available hosts. But usually it is not recommended because most firewalls block it.
- Nmap can also be used for trace routing buy using --traceroute option
Speeding the Scan
Nmap scans usually takes time and are quite slow. Various techniques are used to slash time and one of them is, telling Nmap, not to do a DNS resolution.
What is DNS resolution?
Each web server (and indeed any host connected to the internet) has a unique IP address in textual form, translating it to an IP address (in this case, 207.142.131.248) is a process known as DNS resolution or DNS lookup; here DNS stands for Domain Name Service
- -n (no DNS resolution) - This option tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
So, this was host discovery on Nmap. Hope you have learned a lot and in next topic, we'll learn various port scanning techniques.
0 comments:
Post a Comment