To effectively defend a network, it’s vital to understand what needs protection through asset management, which relies on network mapping to identify active systems. Awareness of exposed assets and hosted services is crucial for anyone looking to secure their network.
Nmap has long been regarded as the standard port scanner for both network engineers and security professionals. It can be utilized to identify assets for both attack and defense purposes.
One method to identify active hosts on the network is to send a ping, or ICMP Echo Request, to all IP addresses within the network. This process is commonly known as a Ping Sweep.
This method is not very effective for discovering assets, as systems may ignore incoming pings due to firewalls, either network-based or host-based (installed on the individual system).
A more effective approach is to send various types of packets to elicit responses that indicate whether a system is active. For instance, Nmap may send the following packets to provoke a reply:
TCP requires a three-way handshake before communication, but Nmap bypasses this with a TCP ACK packet to port 80, used to trigger responses from the target system. Nmap needs high-level privileges, like root or admin, to send such packets, boosting its accuracy over other port scanners.
Using the -Pn flag disables network mapping, treating all IPs as active and directly starting port scanning. Always get permission before using Nmap in corporate environments to avoid policy violations.
The two -v flags enable verbose output, making the scanning process more interesting to observe.
The ARP protocol operates within a LAN, but if the hosts you want to discover are on the LAN, we can utilize this protocol to identify systems on the network. By systematically iterating through all available IP addresses on the LAN using ARP, we aim to prompt systems to respond.
The scan is performed as follows:
Eve: Please Provide Mac Address of system 192.168.0.1 Eve: Please Provide Mac Address of system 192.168.0.2 Eve: Please Provide Mac Address of system 192.168.0.3 Eve: Please Provide Mac Address of system 192.168.0.4 Eve: Please Provide Mac Address of system 192.168.0.5-254 Default Gateway: 192.168.0.1 is me and my MAC Address is AA:BB:CC:12:34:56 Bob: 192.168.0.3 is me and my MAC Address is: BB:CC:DD:12:34:56 Alice: 192.168.0.4 is me and my MAC Address is: CC:DD:EE:12:34:56 |
Note: ARP scanning is a straightforward and effective method for discovering hosts on the LAN, but it does not work for hosts outside the LAN. |