How to perform host discovery and OS detection using Nmap

Key takeaways:

• Nmap is an open-source network analysis tool used for host discovery and OS detection.

• Host discovery determines if a target host is active using various methods like TCP SYN ping, TCP ACK ping, UDP ping, ARP scan, and IP protocol ping.

• TCP SYN and ACK pings involve sending specific packets to check host activity, while UDP ping may not always return a response.

• ARP scan discovers hosts on a local network by sending ARP requests.

• IP protocol ping uses different protocols (TCP, UDP, ACK) to determine host status.

• OS detection using Nmap’s -O flag helps identify the target’s operating system and its potential vulnerabilities, though results may not always be fully accurate.

Host discovery is discovering if the target host is active, and OS detection means identifying the operating system by looking at various network characteristics of the host machine. Modern-day security blocks standard ICMP requests to identify the status of the host. Therefore, Nmap offers many host discovery techniques. Let’s dive into the techniques in Nmap.

Host discovery

1. TCP SYN ping

The TCP three-way handshake to establish a connection simply works by sending a SYN/ACK package. The user tries to send a SYN packet, and if the host is up, it sends back an ACK or RST packet; if the host is down. Timeout also indicates that the host is down.

Let’s break down the command to test it.

• nmap: A command to start the Nmap tool

• -sn: Flag to tell Nmap not to perform a port scan on the host.

• -PS80: Flag to tell Nmap to perform TCP SYN ping on port 80.

• -R: Flag to tell Nmap to perform reverse DNS lookup.

• -v: Flag to tell Nmap to give a more detailed answer.

• hostname: The host’s name, in this case, ‘google.com.’

The expected output of this method is either “Host is up” or “Host is down.”

2. TCP ACK ping

In a TCP ACK ping, we send a TCP ACK packet instead of a TCP SYN packet. The TCP ACK ping selects a specific port to send the ACK package on, acknowledging the connection or receipt of data. The responses of the TCP ACK ping at different ports can be used to conclude whether the host is active or not.

Let’s break down the command to do this as well.

• nmap: A command to start the Nmap tool

• -sn: Flag to tell Nmap not to perform a port scan on the host.

• -PA: Flag to tell Nmap to perform TCP ACK ping.

• hostname: The host’s name, in this case, “google.com.”

By sending the acknowledgment, the user can trick the target into establishing a connection. Hence, getting information about the status of the host.

3. UDP ping

UDP packets establish a connectionless communication channel. There is no receipt or acknowledgment of data transfer. The trick to getting beneficial responses is selecting the correct ports to target. UDP ping is less reliable because the host may be up, but the port may be closed. It is not necessary for a UDP ping request to send a response back.

Here’s how you can do the UDP ping on your target host.

• nmap: A command to start the Nmap tool

• -sn: Flag to tell Nmap not to perform a port scan on the host.

• -PU53: Flag to tell Nmap to perform a UDP ping on port 53(DNS).

• hostname: The host’s name, in this case, “google.com.”

The expected output would either get a response or not get one. The trick used in this specific ping method is selecting the DNS port 53 to launch the Nmap UDP ping. There’s a higher chance of getting a response like this.

4. ARP scan

An ARP scan scans the network to discover the hosts on the network. It works by sending ARP requestsARP requests are sents to host on the network to find out MAC addresses against the IP addresses of hosts. to all the hosts on the network and analyzing their responses.

Let’s break down the ARP scan method of Nmap.

• nmap: A command to start the Nmap tool

• PR: Flag to tell Nmap to perform ARP ping scan.

• hostname: The target IP or range of IPs, in this case, “google.com.”

The other way is to perform an ARP scan on a network or a subnet.

• Here, the subnet is “192.168.1.0/24.”

Scanning a whole network is an extensive task. Hence, this method would take a lot of time and would return the status of all the hosts within the network/subnet.

5. IP protocol ping

The IP protocol ping method doesn’t have a specified ping method like TCP, UDP, or ICMP ping scans discussed previously. You specify the type of scan with the “s” flag.

Here’s how you can do that.

• nmap: A command to start the Nmap tool

• -s<protocol>: Flag to tell Nmap to perform a protocol scan.

• -- traceroute: Flag to tell Nmap to trace the route the request takes to reach the target.

• -p <port>: Flag that specifies the port to test.

• hostname: The target host, in this case, “google.com.”

A few common protocols used with the “s” tag are -sS for TCP SYN, -sU for UDP scan, and -sA for ACK scan. The result for each protocol is discussed previously.

OS detection

OS detection is an important part of penetration testing. Getting information about your target’s operating system can help you find vulnerabilities in that particular operating system. OS detection may not always be accurate. The result may or may not be able to extract the exact OS and its version.

Here’s how you can do it.

• nmap: A command to start the Nmap tool

• -O: Flag to tell Nmap to do OS analysis.

• hostname: The target host, in this case, “google.com.”

Try it yourself

You can test all the reconnaissance techniques mentioned above using Nmap on any host.

Conclusion

Nmap offers versatile techniques for host discovery and OS detection, making it a critical tool for network security and audit tasks. Its ability to uncover active hosts and potential system vulnerabilities can greatly enhance penetration testing efforts.