Host Discovery
In penetration testing, host discovery is the process of identifying which hosts are active on a network. Nmap provides various techniques to accomplish this, each suited to different situations based on factors such as network characteristics, stealth requirements, and the specific goals of the pentest.
Some commonly used host discovery techniques include:
ICMP Echo Request (Ping): Sends a ping to check if a host is responding.
TCP SYN Scan: Sends a TCP SYN packet to a specific port to see if the host is listening.
ARP Requests: Used for discovering hosts on a local network (LAN).
TCP ACK Scan: Checks if a host is filtering packets without revealing open ports.
The choice of technique depends on the level of stealth required and the type of network being scanned (internal vs. external). Each method provides different levels of effectiveness based on firewalls, filters, and network configurations.
Techniques
Technique
Packet Sent
Expected Packet for a Live Host
Pros (When to Use)
Cons (When Not to Use)
Ping Sweeps (ICMP Echo Request)
ICMP Echo Request
ICMP Echo Reply
Quick and commonly used; ideal for networks that allow ICMP traffic
Often blocked by firewalls; does not work on Windows by default
ARP Scanning
ARP Request
ARP Reply
Effective on local networks (LANs); accurate results in the same broadcast domain
Only works within a local network, not for external or routed networks
TCP SYN Ping (Half-Open Scan)
TCP SYN
TCP SYN-ACK
Stealthier than ICMP; useful in bypassing ICMP restrictions
May be blocked by firewalls or Intrusion Detection Systems (IDS)
UDP Ping
UDP Packet
No response (or ICMP Port Unreachable)
Useful for discovering hosts that don't respond to ICMP or TCP
Can be slow due to lack of acknowledgment; prone to packet loss
TCP ACK Ping
TCP ACK
TCP RST
Effective in bypassing firewalls that block SYN or ICMP pings
Less stealthy; may trigger firewall alerts
SYN-ACK Ping
TCP SYN-ACK
TCP RST
Good for detecting firewalled or closed ports; slightly stealthier than SYN scans
Can be blocked by firewalls; not useful if all ports are filtered
Pingsweep/Ping Scan
Pingsweep is a network scanning technique used to identify live hosts (e.g., computers or servers) within a specific IP address range. It works by sending ICMP Echo Request (Type 8, Code 0) messages to multiple IP addresses. If a host is reachable, it responds with an ICMP Echo Reply (Type 0, Code 0) message, indicating that the host is active.
If no response is received, it could mean the host is offline, unreachable due to network issues, or blocking ICMP traffic via a firewall. Pingsweeps help assess the availability of devices on a network but require careful interpretation of results.
One common method is a ping sweep (or ping scan) where Nmap sends ICMP echo requests to multiple IP addresses to check which hosts respond, indicating they are active. Additionally, Nmap can use other techniques like ARP requestsand TCP/UDP scans to find hosts that might block ICMP.
Using Nmap performs a ping scan (or ping sweep) without scanning any ports. This means it checks which hosts are up on a network without probing for open ports or services.
Pingsweep with Sudo vs Without Sudo
When you run nmap -sn
with or without sudo, the difference lies in the types of probes Nmap is able to send, particularly regarding privileged network operations.
without Sudo (non-privileged mode)
In this mode, Nmap operates with user-level permissions and lacks access to raw packet sockets. As a result - Nmap cannot send raw ICMP echo requests (ping) due to insufficient permissions. It falls back to alternative methods like:
TCP SYN ping: Sends TCP SYN packets to port 80 or other common ports to check for responses (SYN-ACK or RST), indicating the host is up.
ARP scan (on local networks): If you're scanning within the same local subnet, Nmap uses ARP requests to identify live hosts since ARP doesn't require root privileges on most systems. In a local subnet, ARP requests (Address Resolution Protocol) take priority to discover hosts since it directly maps IP addresses to MAC addresses. Nmap uses ARP for host discovery on local networks since it's faster and more reliable than IP-based methods.
These alternative methods can still detect live hosts but may result in less accurate or partial results compared to privileged scans, especially across different network segments (e.g., non-local networks).
with Sudo (privileged mode)
When sudo is used, Nmap has root-level access to raw sockets, enabling it to use more accurate and direct host discovery techniques.
ICMP Echo Request (ping): Nmap can now send raw ICMP echo requests (Type 8, Code 0) directly to targets, which is the most reliable method to check for host availability.
ICMP Timestamp Request/Reply: Nmap may also send timestamp requests to detect live hosts that may not respond to standard ping.
UDP pings: In some cases, Nmap can send UDP-based probes to specific ports for additional host discovery.
TCP ACK ping: In privileged mode, Nmap can send TCP ACK packets to a range of ports to detect hosts based on their response.
Summary of Difference
Raw Socket Access: sudo enables raw socket access, allowing Nmap to use native ICMP pings, which are blocked in non-privileged mode.
Scan Accuracy: Scans without sudo might miss hosts that don't respond to the fallback TCP SYN or ARP pings, especially if the target hosts have firewalls blocking certain ports or protocols.
Host Detection: With sudo, Nmap can leverage a broader set of network protocols, leading to more thorough and accurate host discovery, especially on non-local networks.
In conclusion, running nmap -sn
with sudo enhances the effectiveness of the scan by allowing direct access to low-level packet generation and analysis.
Other Misc. Techniques
With this flag: Nmap sends raw IP packets or raw Ethernet frames. This is useful for bypassing local network restrictions or manipulating packet headers for low-level scanning.
Without this flag: Nmap uses the default methods to send packets, which could involve system-level APIs, possibly limited by the network stack.
SYN Ping: Sends TCP SYN packets to discover hosts. By default, it sends SYN packets to port 80. This technique can be used for host discovery without a full port scan.
This command performs host discovery using TCP SYN ping. It does not perform a full port scan (
-sn
disables port scanning). Ports are specified for SYN ping, e.g.,-PS22
for SSH.
ACK Ping: Sends TCP ACK packets to specified ports for host discovery. Useful in networks where SYN packets are blocked. Some firewalls or systems might block ACK packets, making it ineffective in those cases.
ICMP Echo: Sends ICMP Echo Requests (similar to ping
) to discover active hosts. Use this when ICMP is not blocked, as it can be faster for discovering live hosts.
Performs host discovery (-sn
), with verbose output (-v
), and sets the timing to level 4 (-T4
), which speeds up the scan without causing excessive network load. Use this for quick network sweeps.
This command does host discovery by sending SYN pings to specific ports (21, 22, etc.) and UDP pings to ports 137 and 138. It's useful when both TCP and UDP services are present on a network.
Glossary
Subnet: A subnet (short for subnetwork) is a logical subdivision of an IP network. It divides a larger network into smaller, manageable segments, improving efficiency and security.
CIDR (Classless Inter-Domain Routing): CIDR is a method for allocating IP addresses more flexibly. It uses a suffix (like /24
) to indicate how many bits of the IP address are used for the network portion, replacing the traditional class-based system.
Netmask: A netmask is used to define which portion of an IP address identifies the network and which part identifies the host. It is often written like 255.255.255.0
to represent how many bits are allocated for the network.
ARP Request (Address Resolution Protocol): An ARP request is a message sent by a device to find the MAC address associated with an IP address on the local network, enabling communication between devices.
Last updated