Perform Advanced Host Discovery in Nmap

Introduction

In this lab, you will learn to perform advanced host discovery using Nmap. Host discovery is the process of identifying active devices on a network. This is a crucial first step in network reconnaissance, helping you understand the network's layout and identify potential targets for further analysis.

You'll explore various Nmap techniques, including:

• TCP Ping Scan (-PS): Sending TCP SYN packets to specific ports to determine if a host is online and if those ports are open.
• UDP Ping Scan (-PU): Sending UDP packets to specific ports, often used when TCP pings are blocked, to infer host status based on responses or lack thereof.
• Skipping Ping Scan (-Pn): Bypassing Nmap's default host discovery phase, forcing it to assume all target hosts are online and proceed directly to port scanning.
• Combining Techniques: Leveraging multiple discovery methods to increase the reliability of host detection, especially in complex network environments with firewalls.
• Saving and Analyzing Results: Storing Nmap output to a file for later review and using basic Linux commands to extract valuable information from the scan results.

Throughout the lab, you'll execute commands like nmap -PS2222,8080 127.0.0.1 for TCP ping scans, nmap -PU5353 127.0.0.1 for UDP ping, and nmap -Pn -oN hosts.txt 127.0.0.1 to save results. These hands-on exercises will enhance your understanding of Nmap's host discovery capabilities and prepare you for real-world network reconnaissance tasks.

Use TCP Ping on Specific Ports with nmap -PS

In this step, you will learn how to use Nmap to perform a TCP ping scan on specific ports of a target host. This technique is useful for determining if a host is online and if specific services are running on those ports, especially when traditional ICMP pings are blocked by firewalls.

Understanding TCP Ping:
Unlike a traditional ICMP ping, a TCP ping sends a TCP SYN packet to a specified port on the target host.

• If the port is open, the target host will typically respond with a SYN/ACK packet.
• If the port is closed, the target host will usually respond with a RST packet.
• If the port is filtered (e.g., by a firewall), there might be no response at all.

Nmap uses these responses (or lack thereof) to determine if a host is online and the state of the specified ports. The -PS option in Nmap is used to perform a TCP SYN ping scan. You can specify one or more ports to scan using a comma-separated list.

For this lab, the setup script has configured several services on your local machine (127.0.0.1). We will target the SSH service running on port 2222 and the Nginx web server on port 8080.

Open your terminal in the LabEx VM. Your default directory is ~/project. Execute the following command:

nmap -PS2222,8080 127.0.0.1

This command tells Nmap to send TCP SYN packets to ports 2222 and 8080 of the host 127.0.0.1.

You should see output similar to the following, indicating that the host is up and the specified ports are open:

Starting Nmap 7.80 ( https://nmap.org ) at YYYY-MM-DD HH:MM CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000085s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

In this example, Nmap reports that the host 127.0.0.1 is up and that ports 2222 (SSH) and 8080 (HTTP proxy) are open. If a port was closed, the output would show "closed" instead of "open". If the host was down or unreachable, Nmap would report "Host is down".

Perform UDP Ping with nmap -PU

In this step, you will learn how to use Nmap to perform a UDP ping scan on a specific port of a target host. This technique is particularly useful for host discovery when TCP ping is blocked by firewalls, or when you suspect a host might only have UDP services running.

Understanding UDP Ping:
Unlike TCP ping, which expects a SYN/ACK or RST response, a UDP ping sends a UDP packet to a specified port.

• If the port is open, the target host might not respond at all (as many UDP services don't send responses unless a specific request is made).
• If the port is closed, the target host will typically respond with an ICMP "port unreachable" error.
• If the port is filtered, there will be no response.

Nmap uses the presence or absence of a response (or the type of response) to determine if a host is online. The -PU option in Nmap is used to perform a UDP ping scan. You must specify the port to scan. For this lab, we will target the DNS service running on port 5353 on your local machine (127.0.0.1).

Important Note: UDP ping scans require root privileges to read raw network responses. You'll need to use sudo with the nmap command.

Open your terminal in the LabEx VM. Your default directory is ~/project. Execute the following command:

sudo nmap -PU5353 127.0.0.1

This command tells Nmap to send a UDP packet to port 5353 of the host 127.0.0.1.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at YYYY-MM-DD HH:MM CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

In this example, Nmap reports that the host 127.0.0.1 is up. Note that when using UDP ping for host discovery, Nmap still performs its default port scan after determining the host is alive, which is why you see the TCP ports listed in the output. The UDP ping was successful in detecting that the host is online.

Skip Ping with nmap -Pn

In this step, you will learn how to use the -Pn option in Nmap to skip the host discovery ping. This is particularly useful when you want to scan a host without first checking if it's online. This can be helpful in situations where traditional ping methods (like ICMP or even TCP/UDP pings) are blocked by a firewall, or when you simply want to save time by assuming the host is up.

Understanding -Pn:
Normally, Nmap performs a host discovery phase before scanning ports. This involves sending various types of probes (ICMP echo requests, TCP SYN packets, UDP packets, etc.) to determine if the target host is online. If Nmap determines that the host is down, it will skip the port scanning phase for that host.

The -Pn option tells Nmap to skip this host discovery phase entirely and treat all target hosts as if they are online. This means that Nmap will proceed directly to the port scanning phase, regardless of whether the host responds to any ping probes.

Let's try an example. We will use Nmap with the -Pn option to scan the localhost address 127.0.0.1.

Open your terminal in the LabEx VM. Your default directory is ~/project. Execute the following command:

nmap -Pn 127.0.0.1

This command tells Nmap to skip the host discovery ping and scan the ports of 127.0.0.1.

You should see output similar to the following, showing various open ports on your local machine, including those set up by the lab environment:

Starting Nmap 7.80 ( https://nmap.org ) at YYYY-MM-DD HH:MM CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

In this example, Nmap reports that the host 127.0.0.1 is up and shows the open ports. Even if ICMP ping or other host discovery methods were blocked on the system, Nmap would still attempt to scan the ports because of the -Pn option.

It's important to note that using the -Pn option can lead to longer scan times if you target many hosts, as Nmap will attempt to scan ports on every specified IP address, even if many of them are actually offline.

Combine Techniques for Host Discovery

In this step, you will learn how to combine TCP and UDP ping techniques in Nmap to discover live hosts. Combining techniques can significantly increase the reliability of host discovery, especially when dealing with firewalls or other network security measures that might block one type of probe but not another.

As you learned in previous steps:

• -PS is used for TCP SYN ping.
• -PU is used for UDP ping (requires root privileges).

By combining these options, Nmap will send both TCP SYN packets to a specified TCP port and UDP packets to a specified UDP port. If either of these probes receives a response, Nmap will consider the host to be up. This provides a more robust way to detect active hosts.

In this example, we will use Nmap to send a TCP SYN packet to port 2222 (SSH) and a UDP packet to port 5353 (DNS) on your local machine (127.0.0.1).

Open your terminal in the LabEx VM. Your default directory is ~/project. Execute the following command:

sudo nmap -PS2222 -PU5353 127.0.0.1

This command tells Nmap to perform the following actions:

• -PS2222: Send a TCP SYN packet to port 2222 of the target host.
• -PU5353: Send a UDP packet to port 5353 of the target host.
• 127.0.0.1: Scan the local host.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at YYYY-MM-DD HH:MM CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

In this example, Nmap reports that the host 127.0.0.1 is up. Nmap determined this by receiving a response to either the TCP SYN packet sent to port 2222 or the UDP packet sent to port 5353. After confirming the host is alive through the ping probes, Nmap proceeds with its default port scan, showing the open TCP ports.

Combining techniques like this is often more effective than using a single method, as it increases the chances of bypassing firewalls or other security measures that might block one type of probe but not another, leading to more accurate host discovery results.

Save Discovery Results to a File

In this step, you will learn how to save Nmap scan results to a file using the -oN option. Saving scan results is crucial for documenting your findings, performing later analysis, or sharing information with others.

The -oN option tells Nmap to save the scan results in a "normal" format to the specified file. The normal format is a human-readable text file that is easy to view and parse.

In this example, we will use Nmap to scan the host 127.0.0.1, skip the host discovery ping (-Pn), and save the results to a file named hosts.txt in your ~/project directory.

Open your terminal in the LabEx VM. Your default directory is ~/project. Execute the following command:

nmap -Pn -oN hosts.txt 127.0.0.1

This command tells Nmap to perform the following actions:

• -Pn: Skip the host discovery ping (assume the host is up).
• -oN hosts.txt: Save the scan results in normal format to the file hosts.txt.
• 127.0.0.1: Scan the host 127.0.0.1.

After the scan is complete, you can view the contents of the hosts.txt file using the cat command:

cat hosts.txt

You should see output similar to the following, which includes the Nmap version, scan time, host status, and open ports:

## Nmap 7.80 scan initiated Tue Jun  3 10:50:49 2025 as: nmap -Pn -oN hosts.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000089s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

## Nmap done at Tue Jun  3 10:50:49 2025 -- 1 IP address (1 host up) scanned in 0.05 seconds

The hosts.txt file now contains the Nmap scan results in a human-readable format. You can use this file for documentation, reporting, or further analysis with basic Linux commands like grep to extract specific information about discovered hosts and services.

Summary

In this lab, you have learned to perform advanced host discovery using Nmap. You started by understanding and applying specific Nmap options for host discovery:

• TCP Ping Scan (-PS): You used nmap -PS2222,8080 127.0.0.1 to identify active hosts and open TCP ports.
• UDP Ping Scan (-PU): You performed sudo nmap -PU5353 127.0.0.1 to discover hosts using UDP probes, which is useful when TCP is restricted.
• Skipping Ping Scan (-Pn): You learned to force Nmap to scan hosts without prior host discovery using nmap -Pn 127.0.0.1, which is essential for firewalled environments.
• Combining Techniques: You combined TCP and UDP ping scans with sudo nmap -PS2222 -PU5353 127.0.0.1 to achieve more reliable host detection.

Furthermore, you gained practical skills in managing Nmap output:

• Saving Results: You saved your scan results to a human-readable file using nmap -Pn -oN hosts.txt 127.0.0.1.

By mastering these Nmap techniques, you are now better equipped to perform effective network reconnaissance, identify active devices, and gather crucial information for security assessments or network administration tasks. The saved output files can be further analyzed using standard Linux text processing tools for detailed reporting and documentation.