Nmap Tutorial Series 2 - Nmap Host Discovery

Welcome back to a new video guys. Today we are going to tackle the second part of the nMap tutorial series which has the topic of nMap host discovery

So now that you have a basic understanding of what nMap is and its basic commands that we have covered in the last video, we can dig a bit further and start to talk about the nMap host discovery options

When you start working for a client and you are presented with a new network, one of the

first things you want to do is to reduce the list of devices or IPs in the network into

a list that only contains devices that are interesting for further investigation

Gladly we have Nmap Host Discovery to help us with this. In this video we will go through all of the Nmap Host Discovery options and I explain to

you what each option does. Before we get started, a quick info on how you are able to support me

Because it's taking a lot of time for me to produce these videos for free

And I would highly appreciate any support for you So I have set up a Patreon page where I already have two patrons as of now

So this is pretty nice, but more would be better I put the link in the video in the upper right corner

And also you help me out by subscribing to my channel of course

and by liking the videos that you actually enjoy watching. Thanks guys, let's get started with the content

So there are plenty of nmap host discovery options. I have a list of all of them put together on the website in the written article

which I will link in the description below as well as in the upper right corner of the screen

And you can check out the whole list and just try out all of the commands by yourself

The first scan we want to look at is a so-called list scan

and the list scan lists each host of the network without sending any packets to the hosts themselves

so this command sometimes works sometimes it doesn't for me um that's at least my experience

i had with it but let's look at the command first it's nmap tag sl and then the ip range you want

to scan so we're gonna i know that i have this network here and i'm just simply gonna scan one

till 10 because that's most likely where my IP addresses in this segment are right now. I know

that I have 50.7 I think and the basic pentesting 2 VM that I have running in the background has

50.8 if I'm not wrong. So let's quickly check what this returns but as you can see sometimes

it does not work for me and this says 10 IP addresses and zero hosts are up but this can

also mean that it was simply blocked by the machine because as far as i know this is a not

an intrusive or not aggressive method to scan so i'm not sure how accurate the results are

next one on the list is the no port scan no port scan option simply means that you don't

run a port scan after host discovery is done it only prints out the available hosts that responded

to the discovery probes. You can also call this a ping scan, basically

According to nmap.org, this is one step more intrusive than the previous list scan

It could be called light reconnaissance because it is not attracting too much attention

So this is a good scan to run, which is nmap.tag sn19216850

And let's see if this is actually the IP address of the basic pen testing VM

Let's see if we get some results here. and it basically should only report that the host is either up or down

and there we go one host up it found the host so this works and this you can also run against a

larger number of ip addresses at the same time it will just take a little bit longer

but this is the no port scan a good method if you want to do some light reconnaissance

Next on the list is the no ping scan and the no ping scan skips the complete Nmap discovery process basically

And Nmap directly starts to run its default port scans which is scan for the thousand most used ports

Let's try that on the IP Nmap tag PN and then 192.168.50.8

and now we should actually get some results of potentially open ports on this basic pentesting

two virtual machine see what it does for us here and there we go it also took around 16 seconds and

we can see that 999 ports are closed and only port 8081 is open so this is probably this means this

is not the basic pentesting vm i know the service it's running on parrot and that means probably 0.7

will be our basic pentesting vm let's run it against this again and see if the results are

different and the results should be there in a second there we go and this is also not the vm

Let's try 50.9 and I'm sure this will be the correct VM

And there we go, finally. This is the basic Pentastic VM. You can see TCP port 21, 22 and 80 is open

which is FTP SSH and HTTP So you can see that the PN command found a few open ports on this machine Alright next on the list is the so TCP SYN scan

And this scanning option sends an empty TCP packet with the SYN flag attached to it

It defaults to port 80. The SYN flag tells the remote system that you are attempting to connect to it, basically

If the port appears to be open, the target host will start the second step of the three-way TCP handshake

by responding with a sin-egg-tcp package. This is especially useful for certain systems that block ICMP ping requests

You can also change the default port 80 to something, whatever other port you like, like 2225, and so on and so forth

To do this scan, we can simply run nmap-tag-ps22. That's the sin scan with..

Oh, actually, let's run it first as a default. so that's admap tag ps 192 168 50 and we now know that 0.9 is our basic pentesting vm and let's see

what the results are of this scan and we can see it was also successful returned the open ports to

us it run the sin scan against port 80 per default and if you want to run it against any other port

You can just use the tag ps command and you just simply put whatever other port you want to use right after the ps and then run it again

Let's see if we get a result on port 443. I'm not sure it's going to work if the port is actually closed

Let's see and wait for the result. It did also work, so we can see that we also got the correct results here

alright so next on the list is the TCP ECG ping and this method

is useful for networks that block ICMP requests as well same as the SYN scan and it

discovers hosts by responding to non-existing TCP connections to provoke a response from a target

and if it found a or if it did found a target

to be up and running then it runs a default port scan against it

so it scans for the most used 1000 ports again and the command is nmap tag PA 19216850.9 and let's see what the results of this

is. Also was successful and we got the results back of the open port same like with the previous

scans. One thing I want to mention here is that this might only work because now we don't have a

firewall running behind or in front of the clients so if there is a firewall in play the results

may vary and there might be blocked those requests might be blocked on a firewall so

it's not certain that it will work on the actual network because here as i said we just have a

switch in between those two virtual machines basically without any firewalling going on in

the background okay next is the udp scan and udp ping sends udp packets to get a response from a

target most networks and firewalls will block udp requests per default or if they are not properly

configured that is although it is worth a try anyway and if you are not logged in as root you

need to add the sudo prefix to the command let's just try that without the sudo prefix and see

what's happened. If you run Kali on root you don't need to add sudo as a

prefix. You should not run Kali as root if you're a beginner by the way. And let's

put 0.9 here. It's techpu and now we will get the warning that we cannot

run it without root. So we put sudo in front of it. We enter our sudo password

and then the scan will run. By the way if you want to know, if you're a beginner

and you want to know how to configure Kali Linux properly check out my first

things to do or top things to do after installing Kali Linux video and or

article I will link it in the upper right corner and in the description below as well okay there we go now we see that the scan indeed returned something in it

also returned the Mac address interestingly of the virtual box virtual Nick adapter here this is cool good information right there and also

returned the open ports. Same like all the other scans did so far. Next on the list is the SCTP

init ping scan and the SCTP, which means translated stream control transmission protocol

And you don't need to remember this. I did not remember this. I have it written down here

Mostly used to discover VoIP services, so voice over IP, IP telephony and stuff like this. You can

also change the default port by using the same command like in the other commands when you change

the port. I will show you that in a second. Any command is nmap tag py 192 168 50.ip of d. And we

also need sudo for that as it seems. So it's sudo nmap tag py and then the ip address. And this is

very useful to discover VoIP based systems. There are so many VoIP systems out there now in the

corporate world that are vulnerable to attacks because people are not updating their devices

Devices are poorly configured and poorly secured so this is a really good scan to discover possible vulnerabilities Okay next on the list and if you want to by the way if you want to change the port again just use this command and you can also separate them with comma and

with comma and scan for different ports at the same time okay next is the icmp echo ping and you

should know what icmp is the sensor default icmp ping to a target and checks if it replies usually

most networks most routers even windows 10 with the windows firewall running will block

icmp requests per default so this is not it has very low chance of succeeding

and it's 192.168.50.9 so the command is nmap tech pe and let's quickly run it

and it says again you are not root as you can see here so we better be root so we

put sudo in front of the command and interestingly if we don't use sudo it

uses a tcp ping scan rather than icmp interesting too and there we go we get the results back as well with this command next on the

is the ICMP timestamp ping. And what this does is most systems, again

are configured to block those requests as well. But it is possible that even if they don't allow ICMP echo scans or echo pings

they will still allow ICMP timestamping. So this is maybe an option you should try

Sometimes it's worth it to do that. sudo nmap tag pp and the ip address of our target or target list whatever you want to scan

let's see what the results of this are and of course if the if the tcmp or icmp echo ping worked

this most likely will work as well there we go as expected returned the results of the scan

correctly good the next thing is a ICMP address mask ping and this address

mask ping also uses an alternative ICMP request to provoke a response from a

target another option to possibly bypass a firewall that is blocking default ICMP

requests let's see what this command looks like we also put sudo in front of

it and map tag pm 192 168 50.9 and let's see probably i suspect that we will get the correct

results back as well highly recommend you check out the written article as well because it gives you

a list of all these commands and you don't need to remember them or write them down or whatever

good as expected the result is here as well and next on the list is the ip protocol ping and the

IP protocol ping allows you to send packets with specified protocols to the target

However, if you do not have or if you do not specify any particular protocol, the default

protocols ICMP, IGMP and IP in IP will be used to scan

And I will show you how to specify a protocol in a second. the command is sudo nmap tag po and then the ip address of the target 50.9 and we wait for the

results quickly there we go there are the results and those protocol numbers are basically specified

on a website where you can look up all of them let me quickly pull that up and i will put the

so basically there are protocol numbers from one from zero till all the way down to 255 and

And all of those protocol numbers are addressing a different protocol. I will leave the link in the description below, you can check that out

But however, if you want to change the protocol, then you simply again run tag PO and then

you put the protocol number behind it, like 1 or 5 or 5 and 6, whatever you want

You get the idea. This is pretty useful, but it's also pretty advanced and I don't think it's very often

used in the real world. At least I didn't use it very often

All right. Next on the list is the ARP ping. And the ARP ping, this is basically the fastest method of discovering hosts on a network as of now

The biggest advantage is that ARP requests can't be blocked by hosts on a network

no matter if there is a firewall involved or not. But you have to have access to the local network

So your pen testing machine needs to be inside of the local network for this to work

And the command is sudo nmap tag pr and then the IP address of the machine

And 0.9. Let's see what the results of the scan are. There we go

Now because we don't have many different hosts that we scan against, you cannot really see the difference in speed very much

but if you scan against more targets and you use a scan that is generally faster

then you will definitely see a difference there. Alright, next is the traceroute command that should be familiar actually to you

If you spend any time with networking before you probably know the traceroute command And what this does is it traces a route to the designated target

And I have an example of this on my website as well. You can check it out there

So we run sudo nmap tagtag trace route 19216850.9. And the route that was wrong, misspelled here

the route should be pretty clear because it just goes over the virtual switch within the

virtual box host only network let's give this a few seconds and as i said of course the route is

fairly short with just one hop and it's residing in the same network connected to the same switch

so there is nothing going on here but if you trace route if you use this against the google

DNS server or any website you have legal access to, try some hackney site that is legal to scan

against, then you will probably see a route where this traces the route to all the different hops

and there can be a lot of hops in between one target and the other one. The next scan on the

list is the so-called force reverse DNS resolution. Normally Nmap would only do reverse DNS lookups

for hosts that are online with using the tech art tag you can enforce this and lmap will try to

resolve dns names of all the specified ip addresses that you're scanning against but be aware the tech

r option will decrease your scan performance tremendously so making your scan much longer

we can run the scan by using nmap tech r192 168 50.9 and let's see what the results are and let's

how long it takes. It also took the same amount of time in this example but that's simply because we

are directly connected to a switch as I said and the results will be surely different on a real

network with a router between devices and stuff like this. So you can just try that out in your

own network. And this brings us to the next command and we are almost done with all of the

commands now this means disable the reverse DNS resolution and as I

mentioned in the previous force reverse DNS resolution command per default DNS

resolution is only used against hosts that appear online you can you can

disable DNS resolution altogether if you do not need it this will increase

your scan performance and decrease your scan time tremendously so as you remember

Remember, probably the last scan took about 16 seconds. And now if we use the TAC N options, which stands for disable reverse DNS resolution

the results should be much faster. And there you go. Instead of 16 seconds like the previous scan, it only took us 0.07 seconds

So if you don't need DNS resolution, just leave it out and your scans will be completed much, much faster

Then we have two more options and last before the last option or the almost last option is

the alternative DNS lookup method which basically lets you specify different DNS server

This is not very often used in the field but basically this tells nmap to use the host

systems dns server for dns lookup this scan slows down your scan time probably even more

than the normal reverse dns lookup but just basically recognize that this option exists

and it's mmap tag tag system tag dns 192168 50.9 and in this case it was pretty fast

but it can take much longer because we know we use the dns server that is in the system which is

local basically so very fast all right then you can manually specify dns servers this is the last

command what we look at and as it says manually specify dns servers it's clear what it does

and you just put their tech tag dns tag servers and then you could put their google for dns

resolution for example or if there are more more dns servers on the local network you can switch

between them and have a look if the resolution would be correct or not. This being said this

should give you a good idea of how anMap host discovery works and what kind of commands you

can work with. In the next part of the series we will look at some more advanced scanning techniques

and make sure if you liked this video guys please give it a thumbs up, subscribe to my channel

hit the notification bell. If you like, if you have the resources I'd highly appreciate a

donation through either patreon or paypal all the links are down in the description below you can

find all the links to all the support channels in the description below i would be highly appreciative

for that looking forward to see you back in the next video guys and keep practicing nmap i hope

you like the series let me know if you did in the comments below have a good day have a good week

see you in the next video