Skip to content

Nmap Live Host Discovery

Nmap Host Discovery

Host discovery is the first stage of an Nmap scan. It determines which IP addresses are actually in use and have live hosts.

  • Subnetworks vs. Network Segments: A network segment is a physical connection (e.g., all devices connected to the same switch). A subnetwork is a logical division of a network, often using a router. Devices on the same segment are always on the same subnet, but the reverse is not always true.

  • ARP (Address Resolution Protocol): ARP is a link-layer protocol that maps IP addresses to MAC addresses. It's used on local networks (same subnet) because MAC addresses are required for communication on the same Ethernet or Wi-Fi network. ARP queries are broadcast within the subnet. ARP cannot be used to discover hosts on different subnets.

  • Enumerating Targets: Nmap offers flexibility in specifying targets:

    • List: nmap 192.168.1.1 192.168.1.2 192.168.1.10-20 192.168.1.0/24
    • Range: nmap 192.168.1.1-10
    • Subnet: nmap 192.168.1.0/24
    • -sL (List Scan): Lists the targets Nmap would scan without actually scanning them. It performs reverse DNS lookups by default, which can be disabled with -n (no DNS lookup).

  • Host Discovery Methods: Nmap uses various techniques to discover hosts:

    1. ARP Scan (-PR): Used by privileged users on the local network. Sends ARP requests to each IP address in the target range. If a host responds, it's considered live.

    2. ICMP Echo Request (-PE): Sends ICMP Echo Requests (ping). Many firewalls block these, so it's not always reliable.

    3. ICMP Timestamp Request (-PP): Sends ICMP Timestamp Requests. Less common than Echo Requests, so might bypass some firewalls.

    4. ICMP Address Mask Request (-PM): Sends ICMP Address Mask Requests. Another less common ICMP method that may bypass some firewalls.

    5. TCP SYN Ping (-PS): Sends TCP SYN packets to specified ports. A SYN/ACK response indicates an open port and a live host. An RST response indicates a closed port but still a live host. Requires privileged user for half-open connections.

    6. TCP ACK Ping (-PA): Sends TCP ACK packets. An RST response indicates a live host. Less common and might be blocked by firewalls. Requires privileged user for half-open connections.

    7. UDP Ping (-PU): Sends UDP packets to specified ports. An ICMP Port Unreachable error indicates a live host (and a closed port). Open ports may not respond at all, which makes UDP scanning less reliable.

  • -sn (Ping Scan): Performs only host discovery, no port scanning.

  • Privileged vs. Unprivileged: Privileged users (root/sudo) can use more efficient methods like ARP scans and half-open TCP SYN scans. Unprivileged users are limited to less stealthy methods like TCP connect scans. screenshot

arp-scan

arp-scan is a dedicated tool for ARP scanning. It's very fast and efficient for discovering hosts on a local network. It overlaps with Nmap's ARP scan functionality.

masscan

masscan is a very fast port scanner. It's designed for scanning large networks quickly. It uses a similar approach to Nmap's TCP SYN scan but is optimized for speed. It's more aggressive than Nmap and might be more easily detected. masscan is often used when scanning a large number of IP addresses to identify potential targets for more in-depth scanning with Nmap. It can also perform host discovery.

Reverse DNS Lookup

  • -n (No DNS Lookup): Disables reverse DNS lookups. This can speed up scans and avoid sending DNS queries, which might be logged.

  • -R (DNS Lookup for All Hosts): Performs reverse DNS lookups even for hosts that are determined to be offline.

  • --dns-servers <DNS_SERVER>: Specifies the DNS server to use for lookups.

Key Considerations

  • Firewall Evasion: ICMP and some TCP/UDP ping methods might be blocked by firewalls. ARP scans only work on the local network.

  • Stealth: ARP scans are very loud on the local network. TCP SYN scans are stealthier than TCP connect scans.

  • Accuracy: UDP scans can be unreliable. ICMP scans might miss hosts that block ping.

  • Speed: masscan is the fastest. Nmap's ARP scan and TCP SYN scan are relatively fast.