官术网_书友最值得收藏!

首頁 >

Nmap 6:Network exploration and security auditing Cookbook

Finding live hosts in your network

Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system administrators to count or monitor the number of active hosts.

This recipe describes how to perform a ping scan, to find live hosts in a network by using Nmap.

How to do it...

Open your terminal and enter the following command:

$ nmap -sP 192.168.1.1/24

The result shows hosts that are online and responded to the ping sweep.

Nmap scan report for 192.168.1.102 
Host is up. 
Nmap scan report for 192.168.1.254 
Host is up (0.0027s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Nmap done: 256 IP addresses (2 hosts up) scanned in 10.18 seconds

In this case, we found two live hosts in the network. Nmap has also found the MAC address, and it identified the vendor of a home router.

How it works...

Nmap uses the -sP flag for ping scanning. This type of scan is very useful for enumerating the hosts in a network. It uses a TCP ACK packet and an ICMP echo request if executed as a privileged user, or a SYN packet sent via connect() syscall if run by users who can't send raw packets.

CIDR /24 in 192.168.1.1/24 is used to indicate that we want to scan all the 256 IPs in our network.

There's more...

ARP requests are used when scanning a local Ethernet network as a privileged user, but you can override this behavior by including the flag --send-ip.

# nmap -sP --send-ip 192.168.1.1/24

Traceroute

Use --traceroute to include a path between your machine and each host that was found.

Nmap scan report for 192.168.1.101 
Host is up (0.062s latency). 
MAC Address: 00:23:76:CD:C5:BE (HTC) 

TRACEROUTE 
HOP RTT ADDRESS 
1 61.70 ms 192.168.1.101 

Nmap scan report for 192.168.1.102 
Host is up. 

Nmap scan report for 192.168.1.254 
Host is up (0.0044s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 

TRACEROUTE 
HOP RTT ADDRESS 
1 4.40 ms 192.168.1.254 

Nmap done: 256 IP addresses (3 hosts up) scanned in 10.03 seconds

NSE scripts

Ping scanning does not perform port scanning or service detection, but the Nmap Scripting Engine can be enabled for scripts depending on host rules, such as the cases of sniffer-detect and dns-brute.

# nmap -sP --script discovery 192.168.1.1/24 

Pre-scan script results: 
| broadcast-ping: 
|_ Use the newtargets script-arg to add the results as targets 
Nmap scan report for 192.168.1.102 
Host is up. 

Host script results: 
|_dns-brute: Can't guess domain of "192.168.1.102"; use dns-brute.domain script argument. 

Nmap scan report for 192.168.1.254 
Host is up (0.0023s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 

Host script results: 
|_dns-brute: Can't guess domain of "192.168.1.254"; use dns-brute.domain script argument. 
|_sniffer-detect: Likely in promiscuous mode (tests: "11111111") 

Nmap done: 256 IP addresses (2 hosts up) scanned in 14.11 seconds

See also

  • The Running NSE scripts recipe
  • The Discovering hosts using broadcast pings recipe in Chapter 2, Network Exploration
  • The Discovering hosts with TCP SYN ping scans recipe in Chapter 2, Network Exploration
  • The Discovering hosts with TCP ACK ping scans recipe in Chapter 2, Network Exploration
  • The Discovering hosts with ICMP ping scans recipe in Chapter 2, Network Exploration
  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
  • The Discovering hostnames pointing to the same IP recipe in Chapter 3, Gathering Additional Host Information
  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information
  • The Spoofing the origin IP of a port scan recipe in Chapter 3, Gathering Additional Host Information
主站蜘蛛池模板: 冕宁县| 孟州市| 稻城县| 凉山| 怀安县| 丹棱县| 高淳县| 佳木斯市| 浦江县| 桃园县| 阳新县| 塘沽区| 喜德县| 安国市| 成都市| 四平市| 宜君县| 肇源县| 嵩明县| 卢龙县| 浪卡子县| 邵武市| 长葛市| 昌乐县| 和平县| 镇康县| 托里县| 清徐县| 徐汇区| 依安县| 上饶县| 永新县| 铜鼓县| 铁岭市| 海林市| 临澧县| 富顺县| 江都市| 和林格尔县| 唐河县| 利津县|