Welcome to the end map lesson on host Discovery. Scanning
as you work through this lesson, please just remember that the main point of host Discovery is to scan large, larger networks in such a way that you can narrow down your search to interesting targets.
Once you identify those interesting targets is when you move on to do more in depth poor scanning, using different scanning techniques, OS inversion detection or even vulnerability assessment in penetration testing
this lesson will show you quick ways to identify interesting targets among a sea of hosts.
Here are the learning objectives for this lesson.
First, we'll talk about what host Discovery is, and about where I think you should consider placing your host Discovery options. In an end Map scan statement,
Second will discuss the most popular and useful host Discovery Options.
Third, I'll briefly talk you through some other host Discovery options and finally will go through a quick lab so that I can demonstrate the key points and show you why I like several of the host discovery options. A lot.
Also throw in a couple of tips and reminders that may help you in your scanning
In this lesson, the lab is really important because recent versions of in map don't work exactly according to the online documentation.
So please run through them with me.
What is Host Discovery
and then map host Discovery is intended to scan entire network segments in order to find out what devices or hosts are available.
In the previous lesson, we focused on performing various scans on selected targets. And even though you could run those scans against a range of hosts or entire networks, the goal was to perform various ports scanning techniques against those targets to discover responding Service's
host. Discovery scans are optimized to narrow down a large number of hosts to a more manageable list of interesting targets.
So where should you place your host Discovery options in an end map statement?
Well, like I said before, it's entirely up to you. But I suggest placing your host discovery options at the beginning of the scan statement.
Place it where you would have placed her scan technique. In fact, since host discovery is normally used for an entirely different purpose, you should replace your scan technique option with your host Discovery option. In most cases,
I'll show you a couple of good examples in the lab.
Do you have to use any host discovery options?
And if you don't, none will be. Run is a part of a default, and maps can, although I think you'll agree that scanning an entire network using some of the less common host discovery options will yield very similar results as a standard and maps can.
That doesn't have any host Discovery option selected.
In many ways, host Discovery scans Maybe one of the first scans a network administrator or security professional may want to run on a large range of network devices. In fact, for the network administrator, host Discovery may be the only types of scans that produced the information that he or she is looking for.
That is an inventory of live hosts.
I'll show you what I mean in the lab.
The last bullet point is simply a reference to the host Discovery Reference page on the end map website.
Okay, so here are my favorite host Discovery options and what I'll call extra features or sub options
and map. Dash s Capital L is a list scan
it lists each host of a network specified without ever sending any packets to the target hosts by default and map will do a reverse D. N s resolution on each host toe. Learn their names.
This is a great scan to run for reconnaissance against public address spaces because it is not intrusive. Since it doesn't send any packets to the host directly,
it is even less noticeable than a TCP syn scan because it basically is just doing a reverse d. N s look up against name servers.
Then there's the end map Dash S N, which is called a no port scan.
This one is probably my favorite host Discovery option. It tells and mountain not to dio a port scan after host discovery and only prints available hosts. This is also known as a pink scan or pink sweep.
The default host Discovery, done with Dash SN, consists of an ICMP echo request TCP syn to port for 43
TCP act to Port 80 and an ICMP timestamp request by default.
This is very unobtrusive, yet provides very valuable information.
You can combine this with the tracer out an NSC scripts. The reason I love the scan so much is that it basically on. Lee displays a list of the hosts that are up and running, and it does it very quickly.
It'll resolve their names, and if they exist on your local sub net, reveal LAN
will provide you with MAC addresses in the manufacturer of the network adapter.
You can also combine it with the next scan, which is the No PING scan
and map dash capital, P N
or the No Ping scan.
This option skips and maps Discovery Stage, which is usually used by N map to determine active devices
when an Onley, those active devices Air Found and Mapple perform additional probes.
But the No Ping scan will perform requested scanning options against all target specified, even if it's not found active.
Additionally, AARP scanning is performed unless the dash dash, disabled dash, AARP dash ping or dash dash N Dash I P. A. Specified.
The scan is relatively slow when additional options air not specified, since it basically runs a default and maps can against every single address identified in the scan, whether it's up or not.
Generally, this should be combined with other options.
If you combine it with a dash s n.
It will not do a port scan.
The useful options you can combine with any host Discovery scan are also listed on this slide.
A dash end can speed up some scans because it forces no d. N s resolution
The dash capital, Our forces resolution of all hosts names the dash dash trace route will literally perform a tracer out to every responding target
and the dash dash DNA stash servers Feature allows you to specify D. N s servers to use for name resolution
by default and map will either use your systems name servers or we'll use the target's name server. Sometimes
you can look each of these up on your own if you wish using the link I provided earlier. But I'll run through them quickly
Since I generally explained how Flags air set in TCP headers In several previous videos,
the dash capital P Capital s performs a TCP syn ping
the dash capital P capital A. Does a TV acting
the dash capital P capital you does ut peeping
the dash capital P capital. Why does Scdp innit? Ping and a dash capital P Capital O does an I p Protocol ping
In recent releases of N map, I just haven't found these to be that great compared to the other scan techniques and host discovery options.
The Dash capital P Capital E
Dash Capital, Peake Capital B
in the dash capital P Capital M Causes and map to send icmp pings.
It doesn't do much more than a standard ping submitted from a command line or terminal window because it goes beyond a sink. Simple ICMP echo request So you may find these useful. In some cases,
dash capital P capital are performs an ARP ing. It is intended to provide you with the Mac addresses of your target. Of course, it will only work if those targets are in your broadcast domain, a k a. On your local network.
I personally find the dash sn much more helpful for this and way faster. I suggest you test the difference for yourself.
Dash Dash, Disabled Dash, AARP, Dash ping causes and map to disable AARP, An I P. V four and Neighbor Discovery in I P V six.
This theoretically can make some scans run faster, but I hardly ever use it because of how valuable Mac addresses are
dash dash system dash D. N s causes and map To use your scanning stations name servers to perform reverse name resolution
instead of your targets.
I don't use it ever because it limits and mass ability to perform requests in parallel
instead just performing one at a time, but it's available if you figure out a time and place for it.