LabEx
Log InJoin For Free

Perform Advanced Host Discovery in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn to perform advanced host discovery using Nmap. The lab covers various techniques, including TCP ping on specific ports with the -PS option, UDP ping with the -PU option, skipping ping with -Pn, and combining these techniques for a comprehensive scan. You'll also learn how to save discovery results to a file and analyze live hosts in the Xfce terminal.

Throughout the lab, you'll execute commands like nmap -PS22,80 192.168.1.1 to perform TCP ping scans, nmap -PU53 192.168.1.1 for UDP ping, and nmap -Pn -oN hosts.txt 192.168.1.1 to save results. These hands - on exercises will enhance your understanding of Nmap's host discovery capabilities.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/tcp_connect_scan("Basic TCP Connect Scan") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/host_discovery("Host Discovery Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/udp_scanning("UDP Scanning Techniques") subgraph Lab Skills nmap/tcp_connect_scan -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} nmap/save_output -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} nmap/port_scanning -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} nmap/host_discovery -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} nmap/target_specification -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} nmap/udp_scanning -.-> lab-547102{{"Perform Advanced Host Discovery in Nmap"}} end

Use TCP ping on ports with nmap -PS22,80 192.168.1.1

In this step, you will learn how to use Nmap to perform a TCP ping scan on specific ports of a target host. This technique is useful for determining if a host is online and if specific services are running on those ports.

Before we begin, let's clarify what a TCP ping is. Unlike a traditional ICMP ping, a TCP ping sends a TCP SYN packet to a specified port on the target host. If the port is open, the target host will respond with a SYN/ACK packet. If the port is closed, the target host will respond with a RST packet. Nmap uses this behavior to determine if a host is online and if a port is open or closed.

The -PS option in Nmap is used to perform a TCP SYN ping scan. You can specify one or more ports to scan using a comma-separated list.

Let's try an example. We will use Nmap to perform a TCP ping scan on ports 22 and 80 of the host 192.168.1.1.

Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

nmap -PS22,80 192.168.1.1

This command tells Nmap to send TCP SYN packets to ports 22 and 80 of the host 192.168.1.1.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0013s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.05s

In this example, Nmap reports that the host 192.168.1.1 is up and that ports 22 (SSH) and 80 (HTTP) are open. If a port was closed, the output would show "closed" instead of "open". If the host was down, Nmap would report "Host is down".

Now, let's consider a scenario where the target host is not reachable or firewalled. In such cases, Nmap might not receive any response, and the output would indicate that the host is down or that the ports are filtered.

nmap -PS22,80 192.168.1.2

If 192.168.1.2 is not reachable, you might see:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.2
Host is down (no responses received).

Nmap done: 1 IP address (0 hosts up) scanned in 5.03s

This indicates that Nmap did not receive any response from the target host, suggesting that it might be down or unreachable due to network issues or firewall rules.

Perform UDP ping with nmap -PU53 192.168.1.1

In this step, you will learn how to use Nmap to perform a UDP ping scan on a specific port of a target host. This technique is useful for determining if a host is online, especially when TCP ping is blocked by firewalls.

Before we begin, let's understand what a UDP ping is. Unlike TCP ping, which sends a TCP SYN packet, a UDP ping sends a UDP packet to a specified port on the target host. If the port is open, the target host might not respond at all (as many UDP services don't send responses unless a specific request is made). If the port is closed, the target host will typically respond with an ICMP "port unreachable" error. Nmap uses the presence or absence of a response (or the type of response) to determine if a host is online.

The -PU option in Nmap is used to perform a UDP ping scan. You must specify the port to scan. A common port to use for UDP ping is port 53 (DNS), as DNS servers are often available.

Let's try an example. We will use Nmap to perform a UDP ping scan on port 53 of the host 192.168.1.1.

Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

nmap -PU53 192.168.1.1

This command tells Nmap to send a UDP packet to port 53 of the host 192.168.1.1.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 2.03s

In this example, Nmap reports that the host 192.168.1.1 is up. The state of port 53 is shown as open|filtered. This means that Nmap either received a response from the port (indicating it's open) or didn't receive a response but couldn't definitively determine if the port is closed (indicating it's filtered, possibly by a firewall).

Now, let's consider a scenario where the target host is not reachable. In such cases, Nmap might not receive any response, and the output would indicate that the host is down.

nmap -PU53 192.168.1.2

If 192.168.1.2 is not reachable, you might see:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.2
Host is down (no responses received).

Nmap done: 1 IP address (0 hosts up) scanned in 5.03s

This indicates that Nmap did not receive any response from the target host, suggesting that it might be down or unreachable.

Skip ping with nmap -Pn 127.0.0.1

In this step, you will learn how to use the -Pn option in Nmap to skip the host discovery ping. This is useful when you want to scan a host without first checking if it's online. This can be helpful in situations where ping is blocked by a firewall, or when you want to save time by assuming the host is up.

Normally, Nmap performs a host discovery phase before scanning ports. This involves sending various types of probes (ICMP, TCP SYN, etc.) to determine if the target host is online. If Nmap determines that the host is down, it will skip the port scanning phase.

The -Pn option tells Nmap to skip this host discovery phase and treat all target hosts as if they are online. This means that Nmap will proceed directly to the port scanning phase, regardless of whether the host responds to ping probes.

Let's try an example. We will use Nmap with the -Pn option to scan the localhost address 127.0.0.1.

Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

nmap -Pn 127.0.0.1

This command tells Nmap to skip the host discovery ping and scan the ports of 127.0.0.1.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.10s

In this example, Nmap reports that the host 127.0.0.1 is up and shows the open ports. Even if ICMP ping was blocked on the system, Nmap would still scan the ports because of the -Pn option.

It's important to note that using the -Pn option can lead to inaccurate results if the target host is actually down. Nmap will still attempt to scan the ports, but it may not receive any responses, leading to incorrect conclusions about the host's status.

Combine techniques with nmap -PS22 -PU53 192.168.1.0/24

In this step, you will learn how to combine TCP and UDP ping techniques in Nmap to discover live hosts on a network. Combining techniques can increase the reliability of host discovery, especially when dealing with firewalls or other network security measures.

As you learned in previous steps, -PS is used for TCP SYN ping and -PU is used for UDP ping. By combining these techniques, you can send both TCP SYN packets to a specific port and UDP packets to another port. If either of these probes receives a response, Nmap will consider the host to be up.

In this example, we will use Nmap to send a TCP SYN packet to port 22 (SSH) and a UDP packet to port 53 (DNS) to the entire 192.168.1.0/24 network.

Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

nmap -PS22 -PU53 192.168.1.0/24

This command tells Nmap to perform the following actions:

  • -PS22: Send a TCP SYN packet to port 22 of each host in the target network.
  • -PU53: Send a UDP packet to port 53 of each host in the target network.
  • 192.168.1.0/24: Scan the entire 192.168.1.0/24 network. This is a CIDR notation that specifies a range of IP addresses from 192.168.1.0 to 192.168.1.255.

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0016s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.20
Host is up (0.0025s latency).
...
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.03 seconds

In this example, Nmap reports that hosts 192.168.1.1, 192.168.1.10, and 192.168.1.20 are up. Nmap determined this by receiving a response to either the TCP SYN packet sent to port 22 or the UDP packet sent to port 53.

Combining techniques like this can be more effective than using a single technique, as it increases the chances of bypassing firewalls or other security measures that might block one type of probe but not another.

Save discovery results with nmap -Pn -oN hosts.txt 192.168.1.1

In this step, you will learn how to save Nmap scan results to a file using the -oN option. This is useful for documenting your findings and for later analysis.

The -oN option tells Nmap to save the scan results in a "normal" format to the specified file. The normal format is a human-readable format that is easy to parse.

In this example, we will use Nmap to scan the host 192.168.1.1, skip the host discovery ping (-Pn), and save the results to a file named hosts.txt in your ~/project directory.

Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

nmap -Pn -oN hosts.txt 192.168.1.1

This command tells Nmap to perform the following actions:

  • -Pn: Skip the host discovery ping.
  • -oN hosts.txt: Save the scan results in normal format to the file hosts.txt.
  • 192.168.1.1: Scan the host 192.168.1.1.

After the scan is complete, you can view the contents of the hosts.txt file using the cat command:

cat hosts.txt

You should see output similar to the following:

## Nmap 7.80 scan initiated Tue Oct 27 10:00:00 2023 as: nmap -Pn -oN hosts.txt 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.000073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

## Nmap done at Tue Oct 27 10:00:05 2023 -- 1 IP address (1 host up) scanned in 5.03 seconds

The hosts.txt file now contains the Nmap scan results in a human-readable format. You can use this file for documentation, reporting, or further analysis.

Analyze live hosts in Xfce terminal

In this step, you will learn how to analyze the Nmap scan results directly in the Xfce terminal. You will use basic Linux commands to filter and extract information from the hosts.txt file that you created in the previous step. This will help you quickly identify live hosts and their open ports.

First, let's review the contents of the hosts.txt file. Open your terminal in the LabEx VM. Remember that your default directory is ~/project. Execute the following command:

cat hosts.txt

You should see the Nmap scan results, including the host's status (up or down) and the open ports.

To extract only the lines that indicate a host is up, you can use the grep command:

grep "Host is up" hosts.txt

This command will filter the hosts.txt file and display only the lines that contain the string "Host is up". The output will look similar to this:

Nmap scan report for 192.168.1.1
Host is up (0.000073s latency).

This tells you that the host 192.168.1.1 is up.

To extract the IP address of the live host, you can combine grep with awk. awk is a powerful text processing tool that can be used to extract specific fields from a line of text.

grep "Host is up" hosts.txt | awk '{print $5}'

This command first filters the hosts.txt file to find lines containing "Host is up", and then uses awk to print the fifth field ($5) of each matching line, which is the IP address. The output will be:

192.168.1.1

To find the open ports for a specific host, you can use grep to filter the hosts.txt file for lines containing the port number. For example, to find the open ports for 192.168.1.1, you can use the following command:

grep "192.168.1.1" hosts.txt

This will show all lines in the hosts.txt file that contain 192.168.1.1, including the lines that list the open ports.

By combining these basic Linux commands, you can quickly analyze Nmap scan results directly in the Xfce terminal and extract the information you need.

Summary

In this lab, participants learn to perform advanced host discovery using Nmap. They start by using TCP ping on specific ports with the -PS option, such as nmap -PS22,80 192.168.1.1, to check if a host is online and specific services are running. They also perform UDP ping with -PU, skip ping with -Pn, and combine techniques for broader scans. Additionally, they learn to save discovery results to a file and analyze live hosts in the Xfce terminal.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner