Nmap is an awesome port scanner developed in 1997 originally as a Linux-only port scanner. As time went on, it has gained many more valuable features: “including OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface, Ncat, Nping, Ndiff, and more” [1]. Today we will evaluate the ping sweep functionality of nmap to identify live hosts on a particular network segment.
Possessing the ability to identify live hosts on a particular network segment is of great use to any red/blue team. For the red team, it will identify hosts that may provide verticle or horizontal movement. For the blue team, it would allow them to identify legitimate and illegitimate hosts that may be traversing the network or require further investigation.
How is it done?
Before we begin with the ping sweep there are a few things that we need to know first: what network segment we want to scan and the subnet mask of that segment. We can obtain this information in a number of ways. First, we may already have access and knowledge to the network we are about to ping sweep, this is called white box testing. This type of information may be given to a red team to conduct a penetration test to speed the process up and save money. The other type of testing is black-box testing. In this type of testing, no information is known about the target network.
In our case, we are going to use a network command called ifconfig to identify the directly connected network segment we are on and identify the hosts connected to that segment.
First, we issue the command “ifconfig wlo1”:
In the above screenshot, we can see that at the shell prompt the command “ifconfig wlo1” was issued. This gave us all the networking information of our wireless interface, wlo1. wlo1 is the physical wireless interface that is directly connected to the wireless network we want to ping sweep. The information we would need would be the inet address and netmask. When we first look at the netmask we can see the netmask address of 255.255.255.0. This is 24 bits in the netmask and converts to a CIDR of /24. When looking at the inet address of 192.168.50.122, we can assume the network address of the subnet is 192.168.50.0 because the netmask is 24 bits. We can now run the ping sweep.
Next, we issue the command “nmap -sP 192.168.50.0/24”:
The issued “nmap -sP 192.168.50.0/24” command in the above screenshot is the command that gives us information about the valid live hosts on our scanned subnet. This command works by sending a series of ICMP echo requests to every possible host in the selected subnet, 192.168.50.1-254 in our scenario. If that host is up and permitted to respond it will send an ICMP echo reply. This reply is what lets us know that the host is up.
To Sum it Up
Utilizing nmap to perform a ping sweep is beneficial to realize live hosts on a given network segment. When going in blind this can help us move horizontally or vertically. When on a blue team this would help us identify hosts that possibly should not be on the given network segment or need further investigation.
References
[1] “The History and Future of Nmap | Nmap Network Scanning.” nmap, 2022. https://nmap.org/book/history-future.html.