Using Nmap to perform layer 3 discovery
Nmap is one of the most powerful and versatile scanning tools in Kali Linux. As such, it should come as no surprise that Nmap would also be able to support ICMP discovery scanning. This recipe will demonstrate how to use Nmap to perform layer 3 discovery on remote hosts.
Getting ready
Using Nmap to perform layer 3 discovery does not require a lab environment, as many systems on the Internet will reply to ICMP echo requests. However, it is highly recommended that you perform any type of network scanning exclusively in your own lab unless you are thoroughly familiar with the legal regulations imposed by any governing authorities to whom you are subject. If you wish to perform this technique within your lab, you will need to have at least one system that will respond to ICMP requests. In the examples provided, a combination of Linux and Windows systems are used. For more information on setting up systems in a local lab environment, please refer to the the Installing Metasploitable2 and Installing Windows Server recipes in Chapter 1, Getting Started.
How to do it...
Nmap is an adaptive tool that will automatically adjust and use layer 2, layer 3, or layer 4 discovery as needed. If the -sn
option is used in Nmap to scan IP addresses that do not exist on the local network segment, ICMP echo requests will be used to determine if the hosts are alive and responding. To perform an ICMP scan of a single target, use Nmap with the -sn
option, and pass the IP address to be scanned as an argument:
root@KaliLinux:~# nmap -sn 74.125.228.1 Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 23:05 EST Nmap scan report for iad23s05-in-f1.1e100.net (74.125.228.1) Host is up (0.00013s latency). Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
The output of this command will indicate if the device is up and will also provide details about the scan performed. Additionally, notice that the system name is also identified. Nmap also performs DNS resolution to provide this information in the scan output. It can also be used to scan a sequential range of IP addresses, using dash notation. Nmap is multithreaded by default and runs multiple processes in parallel. As such, Nmap is very fast in returning scan results. Have a look at the following command:
root@KaliLinux:~# nmap -sn 74.125.228.1-255 Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 23:14 EST Nmap scan report for iad23s05-in-f1.1e100.net (74.125.228.1) Host is up (0.00012s latency). Nmap scan report for iad23s05-in-f2.1e100.net (74.125.228.2) Host is up (0.0064s latency). Nmap scan report for iad23s05-in-f3.1e100.net (74.125.228.3) Host is up (0.0070s latency). Nmap scan report for iad23s05-in-f4.1e100.net (74.125.228.4) Host is up (0.00015s latency). Nmap scan report for iad23s05-in-f5.1e100.net (74.125.228.5) Host is up (0.00013s latency). Nmap scan report for iad23s05-in-f6.1e100.net (74.125.228.6) Host is up (0.00012s latency). Nmap scan report for iad23s05-in-f7.1e100.net (74.125.228.7) Host is up (0.00012s latency). Nmap scan report for iad23s05-in-f8.1e100.net (74.125.228.8) Host is up (0.00012s latency). *** {TRUNCATED} ***
In the example provided, Nmap is used to scan an entire /24
network range. For convenience of viewing, the output of this command was truncated. By analyzing the traffic passing across the interface with Wireshark, you may notice that the addresses are not sequentially scanned. This can be seen in the following screenshot. This is a further evidence of the multithreaded nature of Nmap and illustrates how processes are initiated from addresses in queue as other processes complete:
Alternatively, Nmap can also be used to scan IP addresses from an input text file. This can be done using the -iL
option, followed by the name of the file or file path:
root@KaliLinux:~# cat iplist.txt 74.125.228.13 74.125.228.28 74.125.228.47 74.125.228.144 74.125.228.162 74.125.228.211 root@KaliLinux:~# nmap -iL iplist.txt -sn Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-16 23:14 EST Nmap scan report for iad23s05-in-f13.1e100.net (74.125.228.13) Host is up (0.00010s latency). Nmap scan report for iad23s05-in-f28.1e100.net (74.125.228.28) Host is up (0.0069s latency). Nmap scan report for iad23s06-in-f15.1e100.net (74.125.228.47) Host is up (0.0068s latency). Nmap scan report for iad23s17-in-f16.1e100.net (74.125.228.144) Host is up (0.00010s latency). Nmap scan report for iad23s18-in-f2.1e100.net (74.125.228.162) Host is up (0.0077s latency). Nmap scan report for 74.125.228.211 Host is up (0.00022s latency). Nmap done: 6 IP addresses (6 hosts up) scanned in 0.04 seconds
In the example provided, a list of six IP addresses exists in the execution directory. This list is then input into Nmap, and each of the listed addresses are scanned in an attempt to identify live hosts.
How it works…
Nmap performs layer 3 scanning by sending out ICMP echo requests for each IP address within the supplied range or text file. As Nmap is a multithreaded tool, multiple requests are sent out in parallel, and results are quickly returned to the user. As Nmap's discovery function is adaptive, it will only use ICMP discovery if ARP discovery cannot effectively locate the host on the local subnet. Alternatively, if neither ARP discovery nor ICMP discovery is effective in identifying a live host at a given IP address, layer 4 discovery techniques will be employed.