While most administrators use a security tool such as Nmap to perform a port scan to list available services on a remote system, Nmap can also be used to conduct a wide variety of functions that security and network administrators can find very helpful in discovering available hosts on the networks that they are responsible for. Discovering hosts can help system administrators ensure that they are monitoring all systems for availability while security administrators can ensure each system adheres to their company's security policy.
This article discusses host discovery features that are available in Nmap 5.0 and higher. For more information on Nmap as well as instructions on how to conduct a basic port scan with Nmap, please review the previous EE article Nmap: Performing a Basic Scan.
Listing Targets to be Scanned (List Scan)
Before conducting a host discovery scan or sweep, an Nmap user may wish to examine the hosts that would be queried by the scan itself prior to conducting the scan. For example, a security professional conducting a penetration test may use this option to first check his work before performing a scan. This technique is referred to as a List Scan and is performed with the -sL option.
When a List Scan is performed, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the host(s) to be scanned. Resolved names will be included as part of the scan results.
NOTE: If you have multiple DNS servers configured on the system conducting an Nmap scan, Nmap will use each of the DNS servers at the same time to help increase response time.
In the following example, Nmap is used to conduct a List Scan of the 192.168.2.0/24 (255.255.255.0) subnet.
This article discusses host discovery features that are available in Nmap 5.0 and higher. For more information on Nmap as well as instructions on how to conduct a basic port scan with Nmap, please review the previous EE article Nmap: Performing a Basic Scan.
Listing Targets to be Scanned (List Scan)
Before conducting a host discovery scan or sweep, an Nmap user may wish to examine the hosts that would be queried by the scan itself prior to conducting the scan. For example, a security professional conducting a penetration test may use this option to first check his work before performing a scan. This technique is referred to as a List Scan and is performed with the -sL option.
When a List Scan is performed, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the host(s) to be scanned. Resolved names will be included as part of the scan results.
NOTE: If you have multiple DNS servers configured on the system conducting an Nmap scan, Nmap will use each of the DNS servers at the same time to help increase response time.
In the following example, Nmap is used to conduct a List Scan of the 192.168.2.0/24 (255.255.255.0) subnet.
As you can see, the List Scan does not perform a scan of the remote system(s) as each port is listed as 'not scanned', but is used to perform a reverse DNS lookup against each host. In the above example, you can see that there are four hosts that had their system names resolved. For example, 192.168.2.5 is reported as being named payroll.company.net
Performing a Ping Scan/Sweep
One method used traditionally by administrators to find online hosts is to perform a ping sweep of their networks. Using their system to send out an ICMP Echo Request packet to each possible host, the admin would then wait for any system to reply back with an ICMP Echo Reply packet. So, ideally, if a host was online, it would respond - if the ICMP Echo Request/Reply traffic wasn't blocked by some mechanism.
An Nmap Ping Scan not only attempts an ICMP Echo Request discovery, but also attempts several other methods for discovery hosts in case ICMP traffic is being blocked - typically by a router or firewall (either host- or network-based).
After Nmap uses ICMP Echo Requests to discover systems that are online and responding to the request, Nmap will then attempt to enumerate additional online systems by using a SYN scan on TCP port 443 and TCP port 80 for hosts not responding to the initial ICMP Echo Request. If a remote host responds to the SYN request, then Nmap will list the host as available on the network - even if it was blocking the ICMP request/reply traffic.
Finally, Nmap will attempt to use an ICMP Timestamp Request packet against remaining IP addresses that have not been detected as online. If an ICMP Timestamp Reply is received by Nmap, the responding system is then 'marked' as being online.
Additional Options
Along with the List Scan and other scan types covered above, Nmap has additional options that are available for controlling which DNS servers are used by Nmap (--dns-servers), to disable name resolution (-r) complete and add the ability for Nmap to perform a traceroute to its targets (--traceroute).
Specifying DNS Servers
If you want to specify which DNS servers Nmap uses for name resolution, you can use the ' --dns-servers' switch.
Disable DNS Resolution
To not have Nmap perform name resolution for your scanned hosts, you can use the -n option to disable this functionality.
Performing a Traceroute
If you wish to identify the various "hops" or routers that your Nmap scan passes through to reach its target(s), you can use the -traceroute switch to provide this information. As you can see by the scan results below, this traceroute is completed using TCP 80 packets rather than traditional ICMP or UDP traffic.
In this article, we covered Nmap's basic host discovery options that are available to administrators for finding live network hosts.
For more information on Nmap as well as instructions on how to conduct a basic port scan with Nmap, please review my previous EE article Nmap: Performing a Basic Scan.