Host Discovery
There are many methods to do host discovery with nmap and the most effective of them all is ICMP echo request. This method will only work if the host firewall allows it. There are other methods covered in IDS/IPS Evasion.
sudo nmap 10.129.2.0/24 -sn -oA tnet 10.129.2.0/24
Target network range.
-sn
Disables port scanning.
-oA tnet
Stores the results in all formats starting with the name 'tnet'.
Scan IP List
Instead of manually defining ot typing the IP's of the hosts if we have a list we can also provide it with nmap.
sudo nmap -sn -oA tnet -iL hosts.lst-iL
Performs defined scans against targets in provided 'hosts.lst' list.
Scan Multiple IPs
We can add multiple IPs in the command and we can also add a range.
sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20
sudo nmap -sn -oA tnet 10.129.2.18-20Single IP Scan
Before scanning a host for service and ports we first need to determine if the host is alive or not. We can run nmap with -sN option enabled. This will disable port scan and automatically run with ICMP echo request (-PE). We can also add a --packet-trace option to see what packets are being sent. And to understand why nmap deemed a host to be alive we can add --reason option.
sudo nmap 10.129.2.18 -sn -oA host -PE --reason --packet-traceThis first send ARP request to get the MAC for the IP. And if we want to disable nmap sending ARP packets we can use --disable-arp-ping option which will scan our target with the desired ICMP echo requests.
The result from this scan will look like this:
Interestingly, from the ttl value of the IP packet received above we can determine the OS. In this case its Windows.
TTL values for different OSes:
Windows operating systems typically use a default TTL of 128.
Linux/Unix-based systems usually have a default TTL of 64.
Cisco devices generally have a TTL of 255.
Last updated