Live Hosts Discovery – Nmap Tutorial

Introduction

Hi, this is Gus and today I will be showing you how to discover live hosts like a boss.

Let’s jump into the demo and start some actions!

 

Windows Target Host

Our target victim machine is a windows box, and its IP address is 10.0.20.103, just remember that it ends with 103 then you will know that this is our target host.

 

Now, on this machine, I blocked all the ICMP packet coming into the box using the File and Printer Sharing rules, and if you look at the left side, I selected the Inbound Rules:

 

Let’s jump into Kali and check how we can identify this live host!

 

Ping Using Kali

First I will ping the destination windows box, and I’m using the C option to count three times before it stops.

As you can see the ping tool is saying that my destination is not up and running, but that’s not the case right?

 

ARP Scan Using Kali

Let’s try to take advantage of the ARP table, and scan using the ARP scan tool!

And this time the tool has identified that our host is alive:

That’s good on the LAN network, but what if I’m targeting a host on the internet? Then, we don’t have the ARP table available to us.

In this case, Nmap comes to the rescue! (more details in the next section – Nmap Ping Scan Using Kali)

 

And by the way, if you like this article, I have more detailed online courses about Nmap & Scanning:

Penetration Testing With Kali Linux – Online Course:

http://www.pluralsight.com/courses/kali-linux-penetration-testing-ethical-hacking

Internal Footprinting: Reconnaissance and Mapping:

https://www.pluralsight.com/courses/internal-footprinting-reconnaissance-mapping

 

Nmap Ping Scan Using Kali

Alright, I will use the ping scan in Nmap to get the job done using the -sn option.

And voilà! I have the full hostname along with the domain name that it belongs to:

 

And I can see clearly that the host is up and running as well:

 

Nmap Ping Scan Explained

Now, why Nmap is so powerful using the ping scan to identify live hosts?

I’m assuming that you’re running a root user while executing Nmap in order to take advantage of all these features.

1. First of all, it sends an ICMP echo request
2. Second, it sends an ICMP timestamp request
3. After that, it will send a TCP ACK on port 80, and that’s very effective for live internet hosts
4. Along with TCP SYN packet on port 443 for HTTPS
5. Finally, Nmap will send an ARP request which is very powerful on the LAN network

 

Happy Learning!