The Network Mapper (Nmap) utility can do the following tasks:
- Target Enumeration (-sL): Enumerating a target specification (simply listing targets to scan).
- Host Discovery (-sn): Discovering live hosts
- Port Scan: Identifying services provisioned
If none is specified, nmap will do all the above.
$ nmap 10.10.10.100/30
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-18 06:34 PST
Nmap scan report for kali-01.lab.wuson.org (10.10.10.100)
Host is up (0.00034s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 10.10.10.101
Host is up (0.00040s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 4 IP addresses (2 hosts up) scanned in 1.31 secondsTarget Specification
- Hostname: scanme.nmap.org
- Subnet/CIDR: 64.13.134.52/16 or 64.13.0.0/16 or scanme.nmap.org/16
- Octet Range: 64.13.134.52-54
- Octet Set: 64.13.134.52,53,54
- Octet List: 64.13.134.52-54,57,59 (comma-separated)
- Target List: 64.13.134.52-54,57,59 192.168.1.1/30 10.10.10.10,11,12 (space-separated)
Enumerating the Target without Scanning
$ nmap -n -sL 64.13.134.52-54,57,59 \
> wentzwu.com \
> amicliens.com/29
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-18 04:44 PST
Nmap scan report for 64.13.134.52
Nmap scan report for 64.13.134.53
Nmap scan report for 64.13.134.54
Nmap scan report for 64.13.134.57
Nmap scan report for 64.13.134.59
Nmap scan report for wentzwu.com (192.0.78.221)
Other addresses for wentzwu.com (not scanned): 192.0.78.157
Nmap scan report for 61.219.106.240
Nmap scan report for 61.219.106.241
Nmap scan report for 61.219.106.242
Nmap scan report for 61.219.106.243
Nmap scan report for 61.219.106.244
Nmap scan report for 61.219.106.245
Nmap scan report for amicliens.com (61.219.106.246)
Nmap scan report for 61.219.106.247
Nmap done: 14 IP addresses (0 hosts up) scanned in 0.19 seconds
$ cat host-list.txt
64.13.134.52-54,57,59
wentzwu.com
amicliens.com/29
$ nmap -n -sL -iL host-list.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-18 04:56 PST
Nmap scan report for 64.13.134.52
Nmap scan report for 64.13.134.53
Nmap scan report for 64.13.134.54
Nmap scan report for 64.13.134.57
Nmap scan report for 64.13.134.59
Nmap scan report for wentzwu.com (192.0.78.157)
Other addresses for wentzwu.com (not scanned): 192.0.78.221
Nmap scan report for 61.219.106.240
Nmap scan report for 61.219.106.241
Nmap scan report for 61.219.106.242
Nmap scan report for 61.219.106.243
Nmap scan report for 61.219.106.244
Nmap scan report for 61.219.106.245
Nmap scan report for amicliens.com (61.219.106.246)
Nmap scan report for 61.219.106.247
Nmap done: 14 IP addresses (0 hosts up) scanned in 0.25 seconds
$ nmap -sL amicliens.com/29
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-18 05:09 PST
Nmap scan report for 61-219-106-240.hinet-ip.hinet.net (61.219.106.240)
Nmap scan report for 61-219-106-241.hinet-ip.hinet.net (61.219.106.241)
Nmap scan report for 61-219-106-242.hinet-ip.hinet.net (61.219.106.242)
Nmap scan report for 61-219-106-243.hinet-ip.hinet.net (61.219.106.243)
Nmap scan report for 61-219-106-244.hinet-ip.hinet.net (61.219.106.244)
Nmap scan report for 61-219-106-245.hinet-ip.hinet.net (61.219.106.245)
Nmap scan report for amicliens.com (61.219.106.246)
rDNS record for 61.219.106.246: 61-219-106-246.hinet-ip.hinet.net
Nmap scan report for office.5971.com.tw (61.219.106.247)
Nmap done: 8 IP addresses (0 hosts up) scanned in 0.47 secondsDiscovering Live Hosts
The following four protocols are commonly utilized to discover or detect live hosts:
- ARP
- ICMP
- TCP
- UDP
A host can send Address Resolution Protocol (ARP) Requests through broadcasts on the local net to query for the MAC address of the receiver’s IP address. The recipient host configured with the specified IP address will reply to the source host with ARP Responses that contain its IP address. However, ARP is not working across networks. If the recipient host is located in a network different from the one in which the source host is located, ARP cannot be used to detect if a remote host is live.
$ nmap -n -PR -sn 10.10.10.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-18 06:17 PST
Nmap scan report for 10.10.10.30
Host is up (0.00039s latency).
Nmap scan report for 10.10.10.100
Host is up (0.00028s latency).
Nmap scan report for 10.10.10.101
Host is up (0.00024s latency).
Nmap scan report for 10.10.10.200
Host is up (0.00077s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.05 secondsThe Internet Control Message Protocol (ICMP) is typically used for diagnostic or control purposes or generated in response to errors in IP operations through various types and subtypes (codes) of ICMP messages. The message pair of Echo Request (Type 8) and Echo Reply (Type 0) is one of the most commonly used ICMP messages. The utility PING sends the Echo Request message to a remote host. We can ensure that the remote host is alive if the Echo Reply from the remote host is received successfully.
TCP and UDP provide transport services to applications (running processes) through the so-called transport “ports.” TCP provides reliable transport services through a set of “flags” to implement connection (3-way handshaking), flow, and error control, while UDP does no control as TCP does. A pen tester can observe how a remote host responds to TCP flags and UDP responses to determine if it is alive.