Discovering hosts with IP protocol ping scans_Nmap 6：Network exploration and security auditing Cookbook-QQ阅读男生武侠网

上QQ阅读APP看书，第一时间看更新

Discovering hosts with IP protocol ping scans

Ping sweeps are very important for host discovery. System administrators and penetration testers use them to determine which hosts are online and responding. Nmap implements several ping scanning techniques, including one called an IP protocol ping scan. This technique tries sending different packets using different IP protocols, hoping to get a response indicating that a host is online.

This recipe describes how to perform IP protocol ping scans.

How to do it...

Open your terminal and enter the following command:

# nmap -sP -PO scanme.nmap.org

If the host responded to any of the requests, you should see something like this:

# nmap -sP -PO scanme.nmap.org 
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.091s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds

How it works...

The arguments -sP -PO scanme.nmap.org tell Nmap to perform an IP protocol ping scan of the host scanme.nmap.org.

By default, this ping scan will use the protocols IGMP, IP-in-IP, and ICMP to try to obtain a response that will indicate that the host is online. Using --packet-trace will show more details of what happened behind the curtains:

# nmap -sP -PO --packet-trace scanme.nmap.org 


SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 
SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 
SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20 
RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28 
NSOCK (0.2290s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 
NSOCK (0.2290s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 
NSOCK (0.2290s) Write request for 45 bytes to IOD #1 EID 27 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... 
NSOCK (0.2290s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] 
NSOCK (0.2290s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] 
NSOCK (4.2300s) Write request for 45 bytes to IOD #1 EID 35 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... 
NSOCK (4.2300s) Callback: WRITE SUCCESS for EID 35 [192.168.1.254:53] 
NSOCK (8.2310s) Write request for 45 bytes to IOD #1 EID 43 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... 
NSOCK (8.2310s) Callback: WRITE SUCCESS for EID 43 [192.168.1.254:53] 
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.090s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

The three lines marked as SENT show the ICMP, IGMP, and IP-in-IP packets:

SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 
SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 
SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20

Out of those three, only ICMP responded:

RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28

However, this was enough to reveal that this host is online.

There's more...

You can also set the IP protocols to be used by listing them after the option -PO. For example, to use the protocols ICMP (Protocol number 1), IGMP (Protocol number 2), and UDP (Protocol number 17) the following command can be used:

# nmap -sP -PO1,2,4 scanme.nmap.org

All of the packets sent using this technique will be empty. Remember that you can generate random data to be used with these packets, with the option --data-length:

# nmap -sP -PO --data-length 100 scanme.nmap.org

Supported IP protocols and their payloads

The protocols that set all its protocol headers, when used, are:

TCP: Protocol number 6
UDP: Protocol number 17
ICMP: Protocol number 1
IGMP: Protocol number 2

For any of the other IP protocols, a packet with only the IP header will be sent.