HakTip 95 – NMap 101: Scanning Networks Using Alternative Packets
This week on HakTip Shannon is using NMap to find open ports that can be accessed on the network.
Welcome to HakTip — the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I’m Shannon Morse and today we’re going to go over Discovery Options.
You’ll notice whenever you use NMap that it only outputs the servers that are currently alive and operating. This is because it sends out something called an ICMP (internet control message protocol) echo request to look for any devices that are currently ‘alive’. By doing so, NMap will save time when giving you information, because it’s not going to be scanning anything thats offline. NMap will also scan ports 80 and 443 because, if ICMP is being blocked by a firewall or something similar, these two ports are most commonly used for web platforms. So basically, when you’re scanning your network, you’re only going to get the items that are open. If you want to scan more secure targets, these alternative discovery options might be more useful.
First off is Don’t Ping which is used with the -PN option. Sometimes you’ll run into a target that seems to be offline. NMap will give you an error that says “Host seems down […] try -PN”. -PN will skip that first ping attempt, and go ahead and do a deep scan of the target. You would type nmap -PN 10.73.31.171.
Say you want to just scan the network really quick to see which ones are online – you don’t need to know about the names or open ports. You can do a Ping Only Scan. To do so, type nmap -sP (for simple ping) then your target. So mine would be nmap -sP 10.73.31.0/24. After the break, we’re going to check out a couple of other alternative discovery options. Stay tuned!
We’re back! So we know how to do a regular scan, and a couple of discovery options. But there is more! Say you want to scan an item that is blocking the regular ICMP ping that NMap uses before it does a whole scan. You can use a TCP SYN ping instead. This will make NMap send out a SYN packet instead of ICMP. It would look like this: nmap -PS 10.73.31.145. It usually sends out the packet via port 80, but you can change this by adding the port to your command, like this: nmap -PS22,80,443 10.73.31.145.
Another option if ICMP pings are being blocked would be using TCP ACK packets, which is similar to the last command, and is used for the same reason. Type: nmap -PA 10.73.31.145. This one can also be used on other ports by adding the port numbers directly after the -PA command.
See a pattern here? If one request doesn’t return some kind of data from the target, you can always substitute it with another discovery option. With these above, we also have -PU for a UDP scan, -PY for an SCTP INIT scan (Stream Control Transmission Protocol), -PE which is used for ICMP (and is implied if no other option is given), -PP for an ICMP timestamp ping (which is useful for firewalled targets), -PM for an ICMP Address Mask Ping, which will occasionally be able to get through a firewall.
Each of these additional options uses popular internet protocols to make sure your NMap network scan ends up getting exactly what you expected.
What would you like to see next about NMAP? Send me a comment below or email us at [email protected] If you like NMap, perhaps you’ll enjoy our new show, Metasploit Minute with Mubix, airing every Monday at hak5.wpengine.com. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.