When presented with an unknown network, one of the first orders of business for scanning is to determine which IP addresses have computers listening on them. This is particularly important when exploring a network behind a Network Address Translation (NAT) device (see "Endpoint/Host" in Chapter 13) where only a tiny percentage of available IP addresses may be in use. For example, on my home network, I have three class C networks defined (762 IP addresses), but 12 of those IP addresses are in use only, meaning that nearly 99 percent of the address space is unused. Host scans (also known as ping sweeps) quickly identify which IP addresses have computers attached and allow you to narrow the task at hand significantly.
Nmap provides the -sP option to perform a host scan. By default, Nmap sends both an ICMP echo request (also known as ping) packet as well as a TCP SYN packet to port 80 (the default web server port) to determine whether a computer is listening on a given IP address. If the IP addresses being scanned are on the same subnet as the scanner, ARP packets are used instead; it is a faster and more reliable way to see which IP addresses are in use. Here's an example of Nmap scanning the first 20 hosts of a subnet:
[bryan@nereid bryan] sudo nmap -n -sP 10.150.9.1-20
Host 10.150.9.15 appears to be up.
MAC Address: 00:0C:F1:D2:29:4C (Intel)
Host 10.150.9.16 appears to be up.
MAC Address: 00:0B:DB:27:40:47 (Dell ESG Pcba Test)
Nmap finished: 20 IP addresses (2 hosts up) scanned in 0.646 secondsThe -n flag instructs nmap to not do name lookups on the IP addresses it scans. This often makes the scan faster as reverse DNS lookups can take a long time to complete. The DNS requests can be somewhat noisy as well, so if you're trying to be subtle with your scan, -n is usually a good idea.
From the above output, you can see that of the first 20 IP addresses in the subnet, two are in use only. If the subnet scanned is local, Nmap is nice enough to look up the MAC addresses in its database to tell you who manufactured the network card.
Sending ping (ICMP echo request) packets used to be a reliable way to determine whether a computer was listening at a given IP address. These days, with firewalls becoming more widely deployed, ping packets are sometimes blocked by default. For example: the firewall that comes with Windows XP automatically blocks ping packets unless TCP port 445 is also allowed. In addition to sending a ping packet, Nmap also tries to connect to TCP port 80 as a fallback, but what if the host is blocking both pings and port 80? By default, Nmap considers the IP address to be vacant. In the following example, Nmap fails to find any hosts, despite there being a Windows XP machine at 10.150.10.253:
[bryan@nereid bryan] sudo nmap -sP 10.150.10.250-254
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-09 11:45 PDT
Nmap finished: 5 IP addresses (0 hosts up) scanned in 2.053 secondsOne workaround to this problem is to use the -P0 flag, which instructs nmap to bypass the host discovery process entirely and instead connect to every port even if the host seems down. The downside to this approach is that on sparse networks, a tremendous amount of time is wasted trying to scan open ports of vacant IP addresses. Adding -P0 to the above scan did find the Windows XP machine, but it took 56 minutes to complete.
Avoid using the -P0 flag on large scans of potentially sparse networks. In environments such as my home network, where only 1 percent of IP addresses are in use, -P0 causes the scan to take 100 times longer to complete.
A faster solution to the blocked ping problem is to extend the list of probed ports to cover more than just pings and TCP port 80. Nmap provides the following flags to customize the host scan functionality:
PSportlistLets you specify which ports to send TCP SYN packets to. If this flag is omitted, Nmap uses port 80.
PAportlistLets you specify which ports to send TCP ACK packets to. This is similar to the preceding SYN scan but may provide better results when simple firewalls are between you and the host being scanned.
PUportlistLets you specify which ports to send empty UDP packets to. This is similar to the TCP SYN option but for probing UDP applications.
-PEInstructs Nmap to send ICMP echo request (ping) packets. These packets are sent by default if no -P options are specified.
-PPInstructs Nmap to send ICMP timestamp packets. These may be used as an alternative to ping packets in case the firewall is only blocking pings.
-PMInstructs Nmap to send ICMP netmask request packets. These may be used as an alternative to pings in the same fashion as the -PP option.
Providing a more thorough list of TCP ports to probe is a good idea when pings are being blocked. By extending Nmap's TCP SYN scan beyond the default port 80 to include common Unix and Windows ports, we can achieve better results:
[bryan@nereid bryan] sudo nmap -sP -PS21,22,23,25,80,139,445,3389 10.150.10.250-254
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-09 15:18 PDT
Host 10.150.10.253 appears to be up.
Nmap finished: 5 IP addresses (1 host up) scanned in 15.568 secondsAdding the additional ports increased the scanning time from 2 to 15 seconds, but we found the Windows XP machine at 10.150.10.253, which happened to have port 3389 (remote desktop) open.
Choosing the right ports to scan for requires some knowledge of what applications are likely to be running on the network being scanned, but some ports are universally more common than others. Here are some quick tips on how to select default ports for host scanning:
Some core network functionality in common operating systems (Windows, Mac OS, Unix) requires certain ports to be reachable from the network. Features such as file sharing, network printing, and music sharing use certain well-known ports. Common Windows ports include TCP/135, TCP/139, TCP/445, TCP/1025-1030, TCP/3389, UDP/137, UDP/138, UDP/445 and UDP/1025-1030. Common Unix ports include: TCP/21, TCP/22, TCP/23, TCP/25, TCP/80, TCP/111, UDP/53, UDP/67-69, UDP/111, UDP/161 and UDP/514.
Networking devices such as switches, routers, and firewalls typically provide a variety of network management facilities on a number of ports (although typically these are only enabled on the "internal" interface of the device). Common ports include TCP/22 (SSH), TCP/23 (Telnet), TCP/80 (HTTP), TCP/443 (HTTPS), and UDP/161 (SNMP). These devices frequently act as DHCP and DNS servers as well, which use UDP/53 (DNS) and UDP/67-68 (DHCP).
Multiple -P flags can be combined during the same scan to provide very thorough host scanning. By enabling all ICMP packet types and using common UDP and TCP ports, hosts can be scanned rather quickly with a high degree of confidence. A thorough host scan might look something like this:
sudo nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 - PE -PP -PM 10.150.9.1-254