Page cover

Host Discovery and Port Scanning

Using Ping:-

ping Host :

ping -c google.com
┌──(kali㉿localhost)-[~]
└─$ ping -c 5 google.com
PING google.com (142.251.37.46) 56(84) bytes of data.
64 bytes from mrs09s13-in-f14.1e100.net (142.251.37.46): icmp_seq=1 ttl=117 time=43.3 ms
64 bytes from mrs09s13-in-f14.1e100.net (142.251.37.46): icmp_seq=2 ttl=117 time=111 ms
64 bytes from mrs09s13-in-f14.1e100.net (142.251.37.46): icmp_seq=3 ttl=117 time=48.0 ms
64 bytes from mrs09s13-in-f14.1e100.net (142.251.37.46): icmp_seq=4 ttl=117 time=72.2 ms
64 bytes from mrs09s13-in-f14.1e100.net (142.251.37.46): icmp_seq=5 ttl=117 time=43.1 ms

####Ping (-c):

  • The -c option is used to specify the number of ICMP packets to send.

  • For example, to send 5 packets, you would use: ping -c 5 <target>

To ping subnet:

ping -c 5 -b 10.10.10.0

  • This sends 5 ICMP packets to the broadcast address of the subnet (10.10.10.0).

  • We can use Nmap to do the same ping scan: nmap -sn 10.10.10.0/24

    • This will perform a "ping sweep" (ICMP scan) over the subnet to identify active hosts.

🚫 Note:

  • Windows systems, by default, restrict certain ICMP packets through the firewall, which may affect ping commands and some Nmap scans that rely on ICMP.

Using nmap:-

to get all help

man nmap 
Or 
nmap -h

ping Scan :-

nmap -sn 10.10.10.0/24 
nmap -sn 10.10.10.0-244
nmap -sn 10.10.10.7 10.10.10.7

Port Scanning

We use the -Pn option to skip Host Discovery because some systems block ICMP, and the target might appear offline.

nmap -Pn 10.10.10.10
nmap -Pn 10.10.10.0/24

Explanation:

  • -Pn: This option tells nmap to skip Host Discovery (i.e., it won't send ICMP Echo Requests to check if the target is alive). Instead, nmap will assume the target is alive and proceed directly to port scanning.

Use case:

In cases where the target system is protected by a firewall that blocks ICMP (like ping requests), nmap might mistakenly mark the target as offline and skip the scan. By using -Pn, nmap will bypass the host discovery step and start scanning ports directly, regardless of the ICMP blocking.

Notes: -

  1. Closed: If the port state is closed → There is no firewall; the port is simply not in use.

  2. Filtered: If the port state is filtered → There is a firewall or packet filter between you and the host, blocking the probe or response.

  3. Port Scanning: By default, Nmap scans the 1000 most common ports.

    • If you use the -F option, it scans only the 100 most common ports for a faster scan.

    • To scan all ports (1-65535), use -p 1-65535.

Scanning Techniques:

1. SYN Scan (-sS):

What SYN Scan Does:

  • The SYN scan, also known as a "half-open scan," is one of the stealthiest scanning methods in Nmap.

  • It works by sending a SYN packet (the first step of the TCP handshake) to the target port. Based on the response, Nmap determines the port's state:

    • SYN → SYN/ACK: If the response is SYN/ACK, the port is open and ready to accept connections.

    • SYN → No response: If there’s no response, the port is likely filtered (usually due to a firewall or packet filter blocking the probe).

    • SYN → RST: If the response is RST, it indicates the port is closed and not accepting connections.

The SYN scan is preferred for its stealth, as it doesn't complete the full TCP handshake (hence, "half-open"). This makes it less likely to be detected by the target system.

2. Full TCP Handshake (-sT):

  • If you want to perform a full TCP handshake (SYN → SYN/ACK → ACK), use the -sT flag.

  • This method is less stealthy but more reliable than a SYN scan because it fully establishes a connection, ensuring accurate results.

3. OS Detection (-O):

  • The -O option enables OS detection in Nmap.

  • It attempts to identify the operating system of the target by analyzing network traffic and responses.

4. Service Version Detection (-sV):

  • The -sV option is used to detect the version of services running on open ports.

  • Nmap tries to identify not just the open ports but also the software and version of services (e.g., HTTP, SSH, FTP).

5. OS Scan Guess (--osscan-guess):

  • The --osscan-guess option allows Nmap to make an educated guess about the operating system if the OS detection is not conclusive.

  • It enables Nmap to try identifying the OS even when the fingerprinting results are not clear.

Scripts (-sC and --script):

  • -sC run default scripts

  • to get all script

ls /usr/share/nmap/script

  • To get info of script do like that

nmap --script-help=<Script>

nmap --script-help=http-vuln-cve2010-0738.nse

firewalls and evade detection

nmap -Pn -S -f --data-length 200 -D 10.10.23.1,10.10.23.2 -g 53 10.4.27.83

Command Breakdown

1. -Pn (No Ping - Skip Host Discovery)

  • This option tells Nmap not to send ICMP echo requests (ping) before scanning.

  • Normally, Nmap pings a host first to check if it is online before proceeding with the scan.

  • If a firewall blocks ICMP responses, the host may appear as "down" even if it is online.

  • With -Pn, Nmap assumes the host is up and skips the host discovery phase.

  • Use case: When scanning targets that may have ICMP disabled, such as heavily firewalled systems.

2. -S <IP> (Spoofed Source Address)

  • Allows the user to change the source IP address of the packets.

  • This makes it look like the scan is coming from a different IP address instead of the attacker's real IP.

  • However, most networks will drop spoofed packets unless you have control over the routing (e.g., on the same subnet or using raw sockets).

  • Use case: Useful for deception in specific network environments where IP spoofing is allowed.

3. -f (Fragmentation)

  • Breaks the scan packets into smaller fragments to evade Intrusion Detection Systems (IDS) and firewalls.

  • Many security devices analyze packets at a higher level, and fragmentation can make it harder for them to detect malicious traffic.

  • However, some modern IDS/IPS can reassemble fragmented packets and detect the scan anyway.

  • Use case: Useful when scanning networks that have packet inspection enabled.

4. --data-length 200 (Adding Random Data to Packets)

  • Adds 200 extra bytes of random data to each packet.

  • This helps evade signature-based firewall and IDS rules that look for specific packet sizes.

  • Some security tools block "default-looking" Nmap scans, so adding random data can make the scan less detectable.

  • Use case: Used for bypassing basic security mechanisms.

5. -D <IP1,IP2,...> (Decoy Scan)

  • Makes the scan look like it's coming from multiple different IP addresses (decoys) rather than a single source.

  • The target will see traffic from several sources, making it difficult to determine which IP is actually scanning.

  • However, network administrators may still detect that an Nmap scan is happening.

  • Use case: Helps in obfuscation when scanning targets that might log or block scanning attempts.

6. -g 53 (Source Port Selection)

  • Tells Nmap to use port 53 (DNS) as the source port instead of a random high port.

  • Some firewalls allow DNS traffic (port 53) without inspection, so this can help in evading network security policies.

  • Use case: Useful when scanning from networks that filter unknown ports but allow DNS traffic.

7. Target IP 10.4.27.83

  • The target IP address that Nmap is scanning.

  • This is the system where the scan will be directed.

Summary

This Nmap command is designed to bypass firewalls and evade detection using various techniques:

  • Hiding the scan source (-S, -D)

  • Avoiding detection by security tools (-f, --data-length)

  • Mimicking normal traffic (-g 53)

  • Skipping unnecessary host checks (-Pn)

This makes it useful for stealth scanning in penetration testing scenarios.

Nmap Timing and Performance Options

1. -T <0-5> (Timing Template)

The -T option in Nmap controls the speed and aggressiveness of the scan. It provides six predefined timing templates:

Value

Name

Description

-T0

Paranoid

Sends packets very slowly to avoid detection by IDS/IPS.

-T1

Sneaky

Similar to -T0 but slightly faster, still avoids detection.

-T2

Polite

Reduces scan impact on the network by slowing down requests.

-T3

Normal

The default Nmap timing; balanced between speed and accuracy.

-T4

Aggressive

Faster scan, but may cause dropped packets on busy networks.

-T5

Insane

The fastest scan, but unreliable and can overwhelm networks.

Example Usage

nmap -T4 -p 80,443 192.168.1.1

  • Performs a faster scan on ports 80 and 443 of 192.168.1.1 using Aggressive timing.

2. --host-timeout <time>

  • Defines a maximum time limit for scanning each host.

  • If a host takes longer than the specified time, Nmap skips it and moves on to the next target.

  • The time format can be in seconds (s), minutes (m), hours (h), etc.

Example Usage

nmap --host-timeout 30s -p 22,80,443 192.168.1.1

  • If scanning 192.168.1.1 takes more than 30 seconds, Nmap will stop scanning that host.

3. --scan-delay <time>

  • Introduces a delay between probe packets to prevent triggering IDS/IPS systems or rate-limiting defenses.

  • The delay can be in milliseconds (ms), seconds (s), etc.

Example Usage

nmap --scan-delay 500ms -p 80,443 192.168.1.1

  • Adds a 500ms delay between packets to avoid being detected as a scan.

Comparison and Best Use Cases

Final Thoughts

These options help fine-tune scan performance and stealth:

  • Use -T4 for fast scanning, but -T1 or --scan-delay for stealth.

  • Set --host-timeout to skip unresponsive hosts in large scans.

  • Adjust --scan-delay to evade detection in Intrusion Detection Systems (IDS).

PreviousNetwork penetration testingNextEnumeration

Last updated