Friday, September 23, 2016

the crux of host discovery shown with NMAP


when you are scanning a bigger range of IP adresses to discover all hosts up thats not so easy at is seems. nowadays infrastructure componenets (like firewalls) are not as "noisy" as they was in the past.


let's take a look with NMAP and check if one of amazon's server is up. (-sn disables the standard common 1000 ports scan. only host discovery is performed)










host is up. lets check with WIRESHARKwhich kind of requests NMAP sent.









no 1477. "ICMP echo" on network layer which is similiar to a standard PING request.

no 1478. SYN request to port 443 (SSL/TLS). TCP standard handshake to establish a connection is client SYN, server SYN-ACK, client ACK. from server perspective, this looks like a initiated handshake to create a TCP connection on port 443.

no 1479 ACK to port 80. ACK this is the last step to establish a TCP connection as respond from the client to the SYN-ACK from the server. In this case NMAP starts communication with ACK at port 80. (assuming that the server maybe reacts with a RST - reset)

no. 1480 "ICMP timestamp" request

no. 1483 the only response from the server as response to the SYN request to establish a connection at TCP port 443.

the nmap command shown above  is the short form of










-PE - ICMP echo
-PS Syn Ping at port 443
-PA Ack Ping at port 80
-PP ICMP timestamp

the result is the same








the server did not respond to ICMP requests and also not to a protocol violation (ACK) at port 80. the only reason NMAP shows the server as up is, because the SYN request at 443 was responded with SYN-ACK.

what would happen if there is no service running at 443?

let's simulate this by doing the same host discovery but using port 444 instead of 443.









as you can see below, in this case there is no response from the server. nmap sends the ICMP request twice but at the end the server was reported as "not up".











the result would be the same  if on the server only a webserver with port 80 or other ports are used instead of 80,443.

depending on your time and bandwith and the IP range you scan, it may be the more safer way to disable the host discovery and scan direct for open ports of services you expect as shown below.













otherwise there is always the risk, that a host gets not scanned because the host discovery fails.

NMAP supports also other host discovery techniques https://nmap.org/book/man-host-discovery.html,

nevertheless a good configured firewall will only respond to a SYN at a open port and otherwise be silent.