Randomize Targets in Nmap

Introduction

In this lab, you will learn how to randomize target host order in Nmap scans. Randomizing scan order can be useful for evading basic intrusion detection systems (IDS) and making your scans less predictable.

You will start by performing a standard Nmap scan to establish a baseline. Then, you will use the --randomize-hosts option to shuffle the order in which Nmap scans target IP addresses, both for a subnet and a specific range. You will also learn how to add verbosity to your scans and save the results to a file for later analysis. By comparing the outputs, you will understand the impact of host randomization.

Perform a Standard Nmap Scan

In this step, you will perform a basic network scan using Nmap to identify active hosts within the 127.0.0.1/24 subnet. This is a fundamental technique for network reconnaissance and understanding the devices present on a network.

Before you begin, let's briefly discuss what Nmap and subnet scanning are:

Nmap (Network Mapper): A free and open-source utility for network discovery and security auditing. It's used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Subnet: A logical subdivision of an IP network. The /24 notation (CIDR notation) indicates the subnet mask, which in this case is 255.255.255.0. This means that the first three octets (127.0.0) define the network, and the last octet (0-255) defines the host addresses within that network.
Subnet Scanning: The process of scanning all possible IP addresses within a subnet to identify active hosts.

Now, let's perform the scan. Open your Xfce terminal. Your default directory is ~/project.

Execute the following command:

sudo nmap 127.0.0.1/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan all IP addresses from 127.0.0.1 to 127.0.0.255. Nmap will send various probes to each IP address to determine if a host is active.

The output will show you a list of discovered hosts and their status (e.g., "Host is up"). It might also show open ports on those hosts if Nmap is able to determine them.

Example output (the actual output will vary depending on your network setup, but you should see 127.0.0.1 and potentially other hosts):

Starting Nmap <version> ( https://nmap.org ) at <date>
Nmap scan report for localhost (127.0.0.1)
Host is up (<latency>s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 256 IP addresses (1 host up) scanned in <time> seconds

This output indicates that 127.0.0.1 was found to be up, and several ports are open on it, including 22 (SSH), 2121 (FTP), 2222 (EtherNet/IP-1), 3001 (Nessus), and 8080 (HTTP-proxy).

Randomize Host Scan Order for a Subnet

In this step, you will enhance your network scan by randomizing the order in which Nmap scans the hosts within the 127.0.0.1/24 subnet. This technique is useful for evading basic intrusion detection systems (IDS) and making the scan less predictable.

By default, Nmap scans hosts in sequential order. This can be easily detected by network monitoring tools. The --randomize-hosts option shuffles the order of the target IP addresses before scanning, making it harder to identify the scan.

To randomize the host order, execute the following command in your Xfce terminal:

sudo nmap --randomize-hosts 127.0.0.1/24

As before, you will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command will scan the same subnet (127.0.0.1/24) as in the previous step, but the order in which the IP addresses are scanned will be randomized.

The output will be similar to the previous scan, showing the discovered hosts and their status. However, the order in which the hosts are listed might be different if multiple hosts were found. In this specific lab environment, you might only see 127.0.0.1 as the primary active host, but the internal scan process will still attempt to randomize the order of all 256 IPs in the subnet.

Example output (the actual output will vary depending on your network):

Starting Nmap <version> ( https://nmap.org ) at <date>
Nmap scan report for localhost (127.0.0.1)
Host is up (<latency>s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 256 IP addresses (1 host up) scanned in <time> seconds

While the final output for a single active host might look identical, the internal scanning process for the 256 IP addresses in the subnet was randomized.

Randomize Host Scan Order for a Specific Range

In this step, you will focus on scanning a specific range of IP addresses (127.0.0.1 to 127.0.0.10) and randomizing the order in which these hosts are scanned. This is useful when you want to target a smaller subset of a network and still maintain some level of stealth.

The --randomize-hosts option, as you saw in the previous step, shuffles the order of the target IP addresses. This time, you'll apply it to a specific range instead of the entire subnet.

To randomize the host order within the 127.0.0.1-10 range, execute the following command in your Xfce terminal:

sudo nmap --randomize-hosts 127.0.0.1-10

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan IP addresses from 127.0.0.1 to 127.0.0.10, but in a randomized order.

The output will show you a list of discovered hosts within that range and their status. The order in which the hosts are listed will be randomized each time you run the command.

Example output (the actual output will vary depending on your network):

Starting Nmap <version> ( https://nmap.org ) at <date>
Nmap scan report for localhost (127.0.0.1)
Host is up (<latency>s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 10 IP addresses (1 host up) scanned in <time> seconds

In this example, Nmap scanned the IP addresses from 127.0.0.1 to 127.0.0.10 in a random order and found 127.0.0.1 to be up.

Add Verbosity and Save Results to a File

In this step, you will learn how to add verbosity to your Nmap scan and save the results to a file. This is crucial for later analysis, reporting, or comparison with previous scans. You'll continue to randomize the host order while performing these actions.

The -v option in Nmap increases the verbosity level, providing more detailed information about the scan process. The -oN option specifies "normal" output, which is human-readable and suitable for parsing with simple tools.

To add verbosity and save the results of a randomized host scan to a file named random_scan.txt, execute the following command in your Xfce terminal:

sudo nmap -v --randomize-hosts -oN random_scan.txt 127.0.0.1/24

You will be prompted for your password. Since the labex user has sudo privileges without a password, simply press Enter.

This command tells Nmap to scan the 127.0.0.1/24 subnet, randomize the host order, provide verbose output, and save the output in the "normal" format to a file named random_scan.txt in your current directory (~/project).

The output in the terminal will now include details about the scan process, such as the probes being sent, the ports being scanned, and the reasons for certain decisions.

Example verbose output (the actual output will vary depending on your network):

Starting Nmap <version> ( https://nmap.org ) at <date>
Initiating Ping Scan at <time>
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at <time>, <time>s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at <time>
Completed Parallel DNS resolution of 256 hosts. at <time>, <time>s elapsed
Initiating SYN Stealth Scan at <time>
Scanning 256 hosts [1000 ports/host]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 2121/tcp on 127.0.0.1
Discovered open port 2222/tcp on 127.0.0.1
Discovered open port 3001/tcp on 127.0.0.1
Discovered open port 8080/tcp on 127.0.0.1
Completed SYN Stealth Scan at <time>, <time>s elapsed (256 total hosts)
Nmap scan report for localhost (127.0.0.1)
Host is up (<latency>s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 256 IP addresses (1 host up) scanned in <time> seconds

After the scan completes, you can view the contents of the random_scan.txt file using the cat command:

cat random_scan.txt

The random_scan.txt file now contains the same information that was displayed on the screen during the scan. You can now use this file for further analysis or reporting.

Summary

In this lab, you explored Nmap's capabilities for network scanning and host discovery, with a focus on randomizing target selection.

You started by performing a standard subnet scan using nmap 127.0.0.1/24 to identify active hosts and their open services. This established a baseline for understanding Nmap's default behavior.

Next, you learned to randomize the order in which Nmap scans targets using the --randomize-hosts option, applying it to both a subnet (127.0.0.1/24) and a specific IP range (127.0.0.1-10). This demonstrated how to make your scans less predictable.

Finally, you enhanced your scan by adding verbosity (-v) for more detailed output and saved the results to a file (random_scan.txt) using the -oN option. This highlighted practical techniques for controlling and documenting Nmap scans for later analysis.

You have now gained fundamental skills in performing Nmap scans, randomizing host order, increasing verbosity, and saving scan results, which are crucial for network reconnaissance and security auditing.