Skip to main content

Nmap: Host Discovery

This article describes how to enhance the default Nmap host discovery phase to include SYN and ACK probes to ports other than the default 80/tcp and 443/tcp. These techniques can help security assessment professionals maximize the number of live systems identified during network penetration tests.

Nmap: Host Discovery Turbo Charged

Nmap is widely heralded as the undisputed champion of port scanners. And rightfully so! Nmap certainly deserves the crown for incredible speed, power, and flexibility. However, before flexing those mighty port-scanning muscles, Nmap first performs the essential host discovery phase. Systems that do not respond to host discovery probes are never port scanned, so nailing the host discovery phase is crucial to ensure that systems with limited network footprints are not overlooked.

According to the Nmap Reference Guide (RTFM), the default host discovery probes are “an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request.” ICMP timestamp requests are frequently blocked, and progressively more organizations are now blocking the ubiquitous ICMP echo request as well. That leaves the ACK to port 80/tcp and the SYN to port 443/tcp, which is fantastic if the target system is running a web server. However, if the target is not running a web server, you could find yourself in a state of SOL, which of course stands for Systems Obscurely Live. As you can see, the default host discovery probes are not exactly comprehensive. If Goldilocks was conducting this assessment, she would say “This port scan is too cold!

On the opposite end of the spectrum, you could simply disable the host discovery phase altogether (-Pn) and scan all 65,535 TCP ports (-p 1-65535) to ensure that absolutely nothing is missed. Sometimes that is a great idea! For example, that is a fantastic approach during an external network penetration test against a limited number of systems when network IPS devices are not configured in blocking mode. However, depending on the number of target systems and the configuration of relevant network access control devices, scanning all 65,535 TCP ports can be sloooooooow as molasses. If Goldilocks was here, she would say “This port scan is too hot!”

NMap Examples

If only there was some way to tweak those troublesome host discovery probes? Fortunately, as they would say in the valley, Nmap is like totally flexible to the max! Nmap allows you to configure specific ports that will be probed with SYN (-PS) and ACK (-PA) packets during the host discovery phase. In addition, Nmap includes a handy nmap-services file that includes network services data compiled from 1996 to 2020.

The third field within the nmap-services file is the open frequency, which is a number between 0 and 1 to six decimal places that specify, based on historical network services data, the odds that the port is open. For example, port 443/tcp is listed as 0.208669, meaning that this port is open 20.8669% of the time.

Consequently, we can sort the nmap-services file by the third column in order to generate a list of the most common TCP ports. Conjuring a little mystical sed awkery, the following command will generate a list of the Top 100 TCP ports:

$ grep '/tcp' /usr/share/nmap/nmap-services | awk '{print $3" "$2}' | sort -nr | head -100 | awk '{print $2}' | awk -F/ '{print $1}' | sed 's/$/,/' | xargs | sed 's/, /,/g' | sed 's/,$//'

Let’s make like MC Hammer and break it down!

grep '/tcp' /usr/share/nmap/nmap-services

Extract all TCP ports from the nmap-services file, for example:

"https   443/tcp 0.208669        # secure http (SSL)"
awk '{print $3" "$2}'

Print only the open frequency and TCP port, for example

"0.208669 443/tcp"
sort -nr

Perform a reverse numeric sort so that the highest open frequencies appear first…

head -100

Print only the first 100 lines (this parameter can be adjusted to include an arbitrary number of TCP ports)

awk '{print $2}'

Print only the TCP port (for example “443/tcp”)

awk -F/ '{print $1}'

Print only the port number (for example “443”)

sed 's/$/,/'

Append a comma to the end of each port number (for example “443,”)

xargs

Discard newlines and print all ports numbers on a single line

sed 's/, /,/g'

Discard the extraneous space after each comma

sed 's/,$//'

Discard the trailing comma…

Running this command produces the following output:

$ grep '/tcp' /usr/share/nmap/nmap-services | awk '{print $3" "$2}' | sort -nr | head -100 | awk '{print $2}' | awk -F/ '{print $1}' | sed 's/$/,/' | xargs | sed 's/, /,/g' | sed 's/,$//'
80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,1900,13,1029,9,6646,5051,49157,1028,873,1755,2717,4899,9100,119,37

Armed with this port list, we can now build a Nmap host discovery command that performs host discovery (-sn), sending both SYN (-PS) and ACK (-PA) packets to the Top 100 TCP ports. Let’s include the default ICMP echo request (-PE) and timestamp request (-PP) host discovery options, resulting in the following enhanced host discovery command:

$ nmap -sn -PE -PP -PS80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,1900,13,1029,9,6646,5051,49157,1028,873,1755,2717,4899,9100,119,37 -PA80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,1900,13,1029,9,6646,5051,49157,1028,873,1755,2717,4899,9100,119,37 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up.
# Nmap done at Tue Dec 21 09:02:00 2021 -- 1 IP address (1 host up) scanned in 0.00 seconds

Note that there is no space between the SYN (-PS) and ACK (-PA) packet options and the first port number in the list. In addition, you could insert your favorite Nmap options, for example, to tweak timing parameters (-T4) and/or output formats (-oG).

Using NMap

Voila! The Nmap host discovery phase on steroids. If Goldilocks was conducting this assessment, she would most definitely say “This port scan is just right! I’m soooooooo 31337! Time to pwn some freaking bears!”

MORE FROM WHITE OAK SECURITY 

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team.