- Nmap 6:Network exploration and security auditing Cookbook
- Paulino Calderon Pale
- 659字
- 2021-08-05 18:31:05
Discovering hosts with IP protocol ping scans
Ping sweeps are very important for host discovery. System administrators and penetration testers use them to determine which hosts are online and responding. Nmap implements several ping scanning techniques, including one called an IP protocol ping scan. This technique tries sending different packets using different IP protocols, hoping to get a response indicating that a host is online.
This recipe describes how to perform IP protocol ping scans.
How to do it...
Open your terminal and enter the following command:
# nmap -sP -PO scanme.nmap.org
If the host responded to any of the requests, you should see something like this:
# nmap -sP -PO scanme.nmap.org Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.091s latency). Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
How it works...
The arguments -sP -PO scanme.nmap.org tell Nmap to perform an IP protocol ping scan of the host scanme.nmap.org.
By default, this ping scan will use the protocols IGMP, IP-in-IP, and ICMP to try to obtain a response that will indicate that the host is online. Using --packet-trace will show more details of what happened behind the curtains:
# nmap -sP -PO --packet-trace scanme.nmap.org SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20 RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28 NSOCK (0.2290s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 NSOCK (0.2290s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 NSOCK (0.2290s) Write request for 45 bytes to IOD #1 EID 27 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (0.2290s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] NSOCK (0.2290s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] NSOCK (4.2300s) Write request for 45 bytes to IOD #1 EID 35 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (4.2300s) Callback: WRITE SUCCESS for EID 35 [192.168.1.254:53] NSOCK (8.2310s) Write request for 45 bytes to IOD #1 EID 43 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (8.2310s) Callback: WRITE SUCCESS for EID 43 [192.168.1.254:53] Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.090s latency). Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds
The three lines marked as SENT show the ICMP, IGMP, and IP-in-IP packets:
SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20
Out of those three, only ICMP responded:
RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28
However, this was enough to reveal that this host is online.
There's more...
You can also set the IP protocols to be used by listing them after the option -PO. For example, to use the protocols ICMP (Protocol number 1), IGMP (Protocol number 2), and UDP (Protocol number 17) the following command can be used:
# nmap -sP -PO1,2,4 scanme.nmap.org
All of the packets sent using this technique will be empty. Remember that you can generate random data to be used with these packets, with the option --data-length:
# nmap -sP -PO --data-length 100 scanme.nmap.org
See also
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP SYN ping scans recipe
- The Discovering hosts with TCP ACK ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts ICMP ping scans recipe
- The Discovering hosts with ARP ping scans recipe
- The Discovering hosts using broadcast pings recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information
- Web漏洞分析與防范實戰:卷1
- Mobile Forensics Cookbook
- Learning Python for Forensics
- INSTANT Windows PowerShell
- 解密彩虹團隊非凡實戰能力:企業安全體系建設(共5冊)
- 先進云安全研究與實踐
- Hands-On Artificial Intelligence for Cybersecurity
- 網絡空間安全法律問題研究
- 安全網絡構建
- 網絡入侵檢測系統原理與應用
- Real-World SRE
- CCNA Security 210-260 Certification Guide
- 互聯網域名國際化與安全技術導論
- 網絡空間安全實踐能力分級培養(I)
- Metasploit Bootcamp