LabEx
Log InJoin For Free

Randomize Targets in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, we will explore how to randomize target host order in Nmap scans. We'll start by performing a standard subnet scan on 192.168.1.0/24 to identify active hosts.

Then, we'll use the --randomize-hosts option to shuffle the order in which Nmap scans the target IP addresses, both for a subnet (192.168.1.0/24) and a specific range (192.168.1.1-10). We'll also add verbosity with the -v flag and save the randomized scan results to a file named random.txt. Finally, we'll compare the outputs in the Xfce terminal to observe the effect of the randomization.

Scan subnet normally with nmap 192.168.1.0/24

In this step, we will perform a basic network scan using Nmap to identify active hosts within the 192.168.1.0/24 subnet. This is a fundamental technique for network reconnaissance and understanding the devices present on a network.

Before we begin, let's briefly discuss what Nmap and subnet scanning are:

  • Nmap (Network Mapper): A free and open-source utility for network discovery and security auditing. It's used to discover hosts and services on a computer network by sending packets and analyzing the responses.
  • Subnet: A logical subdivision of an IP network. The /24 notation (CIDR notation) indicates the subnet mask, which in this case is 255.255.255.0. This means that the first three octets (192.168.1) define the network, and the last octet (0-255) defines the host addresses within that network.
  • Subnet Scanning: The process of scanning all possible IP addresses within a subnet to identify active hosts.

Now, let's perform the scan. Open your Xfce terminal in the LabEx VM. Remember that your default directory is ~/project.

Execute the following command:

sudo nmap 192.168.1.0/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan all IP addresses from 192.168.1.0 to 192.168.1.255. Nmap will send various probes to each IP address to determine if a host is active.

The output will show you a list of discovered hosts and their status (e.g., "Host is up"). It might also show open ports on those hosts if Nmap is able to determine them.

Example output (the actual output will vary depending on your network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh

Nmap scan report for 192.168.1.100
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap done: 256 IP addresses (2 hosts up) scanned in 5.00 seconds

This output indicates that two hosts were found to be up: 192.168.1.1 and 192.168.1.100. It also shows that port 22 (SSH) is open on 192.168.1.1 and port 80 (HTTP) is open on 192.168.1.100.

Randomize hosts with nmap --randomize-hosts 192.168.1.0/24

In this step, we will enhance our network scan by randomizing the order in which Nmap scans the hosts within the 192.168.1.0/24 subnet. This technique is useful for evading basic intrusion detection systems (IDS) and making the scan less predictable.

By default, Nmap scans hosts in sequential order. This can be easily detected by network monitoring tools. The --randomize-hosts option shuffles the order of the target IP addresses before scanning, making it harder to identify the scan.

To randomize the host order, execute the following command in your Xfce terminal:

sudo nmap --randomize-hosts 192.168.1.0/24

As before, you will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command will scan the same subnet (192.168.1.0/24) as in the previous step, but the order in which the IP addresses are scanned will be randomized.

The output will be similar to the previous scan, showing the discovered hosts and their status. However, the order in which the hosts are listed might be different.

Example output (the actual output will vary depending on your network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for 192.168.1.100
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh

Nmap done: 256 IP addresses (2 hosts up) scanned in 5.10 seconds

Notice that the order of the hosts (192.168.1.100 and 192.168.1.1) in the output might be different from the previous scan. This is because of the --randomize-hosts option.

Randomize range with nmap --randomize-hosts 192.168.1.1-10

In this step, we will focus on scanning a specific range of IP addresses (192.168.1.1 to 192.168.1.10) and randomizing the order in which these hosts are scanned. This is useful when you want to target a smaller subset of a network and still maintain some level of stealth.

The --randomize-hosts option, as we saw in the previous step, shuffles the order of the target IP addresses. This time, we'll apply it to a specific range instead of the entire subnet.

To randomize the host order within the 192.168.1.1-10 range, execute the following command in your Xfce terminal:

sudo nmap --randomize-hosts 192.168.1.1-10

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan IP addresses from 192.168.1.1 to 192.168.1.10, but in a randomized order.

The output will show you a list of discovered hosts within that range and their status. The order in which the hosts are listed will be randomized each time you run the command.

Example output (the actual output will vary depending on your network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.5
Host is up (0.00025s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh

Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap done: 10 IP addresses (2 hosts up) scanned in 2.00 seconds

In this example, Nmap scanned the IP addresses from 192.168.1.1 to 192.168.1.10 in a random order and found two hosts to be up: 192.168.1.5 and 192.168.1.1. The ports shown are just examples and may differ in your environment.

Add verbosity with nmap -v --randomize-hosts 192.168.1.0/24

In this step, we will add verbosity to our Nmap scan while still randomizing the host order. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding Nmap's behavior.

The -v option in Nmap increases the verbosity level. Using it once provides more information than the default output. Using it twice (-vv) provides even more detail.

To add verbosity and randomize the host order, execute the following command in your Xfce terminal:

sudo nmap -v --randomize-hosts 192.168.1.0/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command will scan the 192.168.1.0/24 subnet, randomizing the host order, and providing more verbose output.

The output will now include details about the scan process, such as the probes being sent, the ports being scanned, and the reasons for certain decisions.

Example output (the actual output will vary depending on your network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Initiating Ping Scan at 10:15
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 10:15, 0.72s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:15
Completed Parallel DNS resolution of 256 hosts. at 10:15, 1.81s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning 256 hosts [1000 ports/host]
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.100
Completed SYN Stealth Scan at 10:16, 3.21s elapsed (256 total hosts)
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.1.100
Host is up (0.00030s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 256 IP addresses (2 hosts up) scanned in 5.74 seconds

The output now shows more information about the scan process, such as the timing of the ping scan and the DNS resolution. This can be helpful for understanding how Nmap is working and for troubleshooting any issues.

Save results with nmap --randomize-hosts -oN random.txt 192.168.1.0/24

In this step, we will learn how to save the results of an Nmap scan to a file. This is crucial for later analysis, reporting, or comparison with previous scans. We'll continue to randomize the host order while saving the output.

Nmap provides several options for saving scan results, each with a different format. The -oN option specifies "normal" output, which is human-readable and suitable for parsing with simple tools.

To save the results of a randomized host scan to a file named random.txt, execute the following command in your Xfce terminal:

sudo nmap --randomize-hosts -oN random.txt 192.168.1.0/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan the 192.168.1.0/24 subnet, randomize the host order, and save the output in the "normal" format to a file named random.txt in your current directory (~/project).

After the scan completes, you can view the contents of the random.txt file using the cat command or a text editor like nano.

cat random.txt

Example output (the actual output will vary depending on your network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.1.100
Host is up (0.00030s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 256 IP addresses (2 hosts up) scanned in 5.00 seconds

The random.txt file now contains the same information that was displayed on the screen during the scan. You can now use this file for further analysis or reporting.

Compare outputs in Xfce terminal

In this step, we will compare the outputs of the different Nmap scans we performed in the previous steps. This will help us understand the effects of the various options we used, such as host randomization and verbosity.

First, let's review the commands we executed:

  1. sudo nmap 192.168.1.0/24 (Normal scan)
  2. sudo nmap --randomize-hosts 192.168.1.0/24 (Randomized hosts)
  3. sudo nmap --randomize-hosts 192.168.1.1-10 (Randomized range)
  4. sudo nmap -v --randomize-hosts 192.168.1.0/24 (Verbose, randomized hosts)
  5. sudo nmap --randomize-hosts -oN random.txt 192.168.1.0/24 (Randomized hosts, saved to file)

To compare the outputs, you can use several methods:

  • Direct comparison in the terminal: You can scroll back through your terminal history to compare the outputs of the first four commands. Notice the differences in the order of scanned hosts (if any) and the level of detail provided by the verbose scan.

  • Comparing the normal scan with the saved file: You can run the first command again and compare its output with the contents of the random.txt file we created in the previous step.

    sudo nmap 192.168.1.0/24
cat random.txt

    Observe that the output should be similar, but the order of the hosts scanned might be different due to the --randomize-hosts option used when creating random.txt.

  • Using diff command (Optional): For more detailed comparison, you can save the output of the normal scan to a file (e.g., normal.txt) and then use the diff command to compare the two files.

    sudo nmap -oN normal.txt 192.168.1.0/24
diff normal.txt random.txt

    The diff command will highlight any differences between the two files. If the only difference is the order of the hosts, the output will show lines being added and removed, but the content will be the same.

By comparing the outputs, you should be able to observe the following:

  • The --randomize-hosts option changes the order in which Nmap scans the hosts.
  • The -v option provides more detailed information about the scan process.
  • The -oN option saves the scan results to a file in a human-readable format.

This concludes the Nmap lab. You have learned how to perform basic Nmap scans, randomize host order, increase verbosity, and save the results to a file. These are fundamental skills for network reconnaissance and security auditing.

Summary

In this lab, we explored Nmap's capabilities for network scanning and host discovery. We began by performing a standard subnet scan using nmap 192.168.1.0/24 to identify active hosts within the specified network range. This foundational step demonstrated how Nmap probes IP addresses to determine host availability.

Subsequently, we learned to randomize the order in which Nmap scans targets using the --randomize-hosts option, applying it to both a subnet (192.168.1.0/24) and a specific IP range (192.168.1.1-10). We also enhanced the scan with verbosity (-v) for more detailed output and saved the results to a file (random.txt) for later comparison, highlighting practical techniques for controlling and documenting Nmap scans.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner