Nmap — Network Mapper
Tryhackme Walkthrough- Nmap Live Host Discovery + Notes
An automation tool designed for mapping networks, identifying live hosts, and discovering running services
Terminologies
Network Segment : A group of computers connected using a shared medium , for eg, Ethernet Switch or Wifi Access Point
Subnetwork: One or more network segments connected together and configured to use the same router.
The network segment refers to a physical connection, while a subnetwork refers to a logical connection.
- Subnets with
/16
, which means that the subnet mask can be written as255.255.0.0
. This subnet can have around 65 thousand hosts. - Subnets with
/24
, which indicates that the subnet mask can be expressed as255.255.255.0
. This subnet can have around 250 hosts.
Using NMap
nmap target
— Nmap will scan the targets specified. Target can be a single entity or multiple entities separated by space. Target can also be specified as range or subnet.nmap -iL targets.txt
— This will scan all the targets in the targets.txt filenmap -sL targets
-This option will give you a detailed list of the hosts that Nmap will scan without scanning them. Nmap will also attempt a reverse-DNS resolution on all the targets to obtain their names.
Discovering Live Hosts using Protocols
ARP : Sends a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing its MAC (hardware) address.
If you want to ping a system on the same subnet, an ARP query should precede the ICMP Echo.
A scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when ICMP Echo is blocked.
When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
- When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is
root
or a user who belongs tosudoers
and can runsudo
. - When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.
- When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
ICMP: To use ICMP echo request to discover live hosts, add the option -PE
. (Remember to add -sn
if you don’t want to follow that with a port scan.)
nmap -PE -sn target
Because ICMP echo requests tend to be blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP
option tells Nmap to use ICMP timestamp requests.
TCP SYN PING: If you want Nmap to use TCP SYN ping, you can do so via the option -PS
followed by the port number, range, list, or a combination of them. For example, -PS21
will target port 21, while -PS21-25
will target ports 21, 22, 23, 24, and 25. Finally -PS80,443,8080
will target the three ports 80, 443, and 8080.
TCP ACK PING: This sends a packet with an ACK flag set. You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.
By default, port 80 is used. The syntax is similar to TCP SYN ping. -PA
should be followed by a port number, range, list, or a combination of them
UDP Ping : Sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet
Reverse DNS Lookup
Nmap’s default behaviour is to use reverse-DNS online hosts. Because the hostnames can reveal a lot, this can be a helpful step. However, if you don’t want to send such DNS queries, you use -n
to skip this step.
By default, Nmap will look up online hosts; however, you can use the option -R
to query the DNS server even for offline hosts. If you want to use a specific DNS server, you can add the --dns-servers DNS_SERVER
option.
Masscan
Masscan uses a similar approach to discover the available systems. However, to finish its network scan quickly, Masscan is quite aggressive with the rate of packets it generates. The syntax is quite similar: -p
can be followed by a port number, list, or range. Consider the following examples:
masscan MACHINE_IP/24 -p443
masscan MACHINE_IP/24 -p80,443
masscan MACHINE_IP/24 -p22-25
masscan MACHINE_IP/24 ‐‐top-ports 100
Summary
TryHackMe Waltkthrough
Task 2
Hint: ARP packets are bound to their subnet i.e. If you are in Network A, you can use ARP only to discover the devices within that subnet
Task 3
Hint:
1) run the nmap -sL 10.10.12.13/29 on the VM.
2) we have ip of the form 10.10.x.y where x can take any value in the range 0–255 . That is there are 256 possible values for x . Similarly, there are 25 possible values for y. So no of IP = 256*25 = 6400
Task 4
Hint:
1) Check Network Log
Task 5
Hint:
1) Arp request can be used to discover devices on the same subnet. So we will be able to discover computer2, computer3 and router.