a little mans look at a big mans world

Nmap is one of my favorite tools. Ostensibly, it is only a simple port scanner, but it can be used as one of the best discovery tools there is. It does require some command line proficiency. One thing that comes up often is this case. I am looking at an IP block, and I want to know which hosts are up and running. Knowing which machines are running can significantly lower your scan space, thus saving you time. Scanning an IP block with default settings is certainly doable, but pretty wasteful. Here is the command you could use to do that:

nmap 192.168.0.0/24

This would scan the 256 IPs available on this private network segment. It would take a long, long time, return lots of information that may or may not be useful, and certainly will not be easy to manipulate. This is an example of what would be a better, more sophisticated choice:

nmap -sP -PE -PP -PS21,22,23,25,80,113,31399 -PA80,113,443,10042 -T4 -oG live_hosts.gnmap 192.168.0.0/24

This line of code is actually so long as to not fit across my page, causing me great amounts of irritation, and sidetracking me for ten minutes just looking for a better way to do it. In fact, I was tempted to slim the command down so that it could fit, but that would be cheating you.

Regardless of my anal formatting issues, there are lots of good things going on here. With this command, we have slimmed down our request so that on a sample scan it only took 26 seconds to discover 56 hosts up on a standard 256 block. Not bad. We would see drastic improvements if we were scanning more IPs, by a similar factor. We really do need all those flags, and port numbers. Let me break it down a little more for you so that you can customize and determine which flags you need.

The Breakdown

-sP Ping scan, this specifies that we are only going to ping, and not scan these ports.

-PE ICMP echo for host discovery, this is a particular type of ping scan

-PP Another type of ICMP echo. We want to make sure we cover all our bases. I think that this is significant enough to warrant including both of these options, as overhead is low, and yield could be very high.

-PS Specifies the port list for a SYN ping. After this I explicitly list the ports that I want to send a SYN packet to. This collection of ports speeds up the scan, and also potentially circumvents the default drop ping that some admins implement on their workstations to thwart this kind of discovery scanning.

-PA Specifies port list for an ACK ping. Exact same idea here as the SYN pings that we specified earlier.

-T4 Suggests timing to be used (fairly aggressive for this sweep).

-oG specifies the output to a greppable format. This is the type of output that I prefer. You could send it to an xml format or an nmap format, if you so desired.

Other Considerations

Another option to consider is the -n flag. This disables DNS name resolution, and could potentially speed up your scan. In my tests, it saved 4 seconds, going from 26 sec to scan a block of 256 IPs, down to 21 seconds. This may be useful also if the DNS server is paranoid, and doesn’t like all those requests. Also something to note about this, is that the time saved could be potentially minimal, especially compared to other time-saving methods. A scan on a different block of IPs with the DNS lookups only took 10s. Not bad!

If you want to find out about hosts that are not online or responsive, you can perform only a DNS lookup for the IP space. Hostnames can be very informative, and at least they often reveal naming convention, which may or may not be useful later. You can do this, and send the output to a text file for you later perusal like this:

nmap -v -sL 192.168.0.0/24 >> dns_hosts.txt

This will both print on the command line the hostnames registered on the block, and save it to a file for later. I recommend that you only do this for smaller IP blocks, however, as any information gleaned from this sort of activity will have to be sorted through by hand. You can get the DNS names of hosts that are not even ‘visible’ to a ping sweep this way, and depending on the information disclosed by a helpful administrator, you may choose to probe certain machines more closely. However, this is getting a bit off topic.

Finally

The point of this article is not to show how to scan hosts in great detail, but rather to find live hosts in a block of IPs. This could be a great first step in understanding more about the target hosts. Since all this does is narrow down which hosts might be up, what we can do with these results is to create a list of IPs for future scans. What you do with those scans is up to you, and to the purposes you want to achieve.