It is not the monsters we should be afraid of; it is the people that don’t recognize the same monsters inside of themselves.
— Shannon L. Alder.
If you’re a network IT (Information Technology) engineer or cybersecurity professional for sure you’d know about the tool
nmap which stands for network mapper 1 is an open source tool for network discovery and is mostly use for security auditing. Been using this tool for many years and this are my favorite command line flags:
Skip reverse DNS call
This is a helpful flag specially if you don’t want that additional millisecond of fetching records from a DNS server. Or you have a specific case scenario that involves using only internal cached host file.
nmap -n scanme.nmap.org
Stop ping checks
-PN flag specifically tells
nmap that the host is online, skipping check if its alive through ping2. This is particularly useful in situation where you know the target is blocking all ICMP (Internet Control Message Protocol)3 in firewall.
nmap -PN scanme.nmap.org
-sV flag is useful specially in network auditing and determining if there are any ports available. The command will probe the target machine ports availability and guess the service (including the service version) that is running.
nmap -sV scanme.nmap.org
Finding live host
This command is specifically useful for network engineers to know if there are any alive host on the network. The notation below tells to scan the specific subnet4 using ICMP protocol and return the list of host that responded.
nmap -sP 192.168.1.1/24
Scan using specified network interface
If you have multiple NIC’s (Network Interface Controller)5 and you want to route the scan to a specific NIC, then this is the solution. Normally
nmap or any other tool that utilize the computer network would use the OS designated network route (normally determined by network table and preferred gateway). The
-e flag tells
nmap to use that specific network controller to perform/resolve the scan.
nmap -e eth0 scanme.nmap.org
SYN ping scans
The SYN scan specifically tries to send request packets to target machine and check if it accepts the request packets. Mostly this is one of the default alternative ways of checking if the host is alive.
nmap -sP -PS scanme.nmap.org
ACK ping scans
The ACK scan is the opposite of SYN. In which this particular scan sends and ACK or (acknowledge) packet to the target machine if it will respond. Most modern firewalls block this if its not associated in a three way handshake.
nmap -sP -PA scanme.nmap.org
UDP port scans
This UDP6 port/ping scan is helpful when you know the target machine only blocks TCP packets. This specific flag sends a UDP packet to ports available on the machine and check’s if the target machine responds.
nmap -sP -PU scanme.nmap.org
IP (Internet Protocol) ping scans
Actually, this particular scan is special as its send IP packets to the specified IP protocol number in their IP header. It’s kinda special in a sense that if you didn’t supply a protocol type it will send multi-packets ICMP, IGMP, and IP-in-IP packet.
nmap -sP -PO scanme.nmap.org
ARP ping scans
This particular scan is mostly useful in LAN scenario. As you send an ARP packet it will return specific address or addresses that consumed the broadcast request.
nmap -sP -PR scanme.nmap.org
Mostly, that’s all. I’ve used other flags but this are my most used command flags for
- Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). ↩︎
- Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source. The name comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water. ↩︎
- The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ↩︎
- A subnetwork or subnet is a logical subdivision of an IP network. ↩︎
- A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. ↩︎
- The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths. ↩︎