Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?

Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?

Option 1: ARP ping scan
Option 2: TCP Maimon sacn
Option 3: ACK flag prob sacn
Option 4: UDP scan

1. ARP ping scan

One of the foremost common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, especially those using private address ranges granted by RFC 1918, the overwhelming majority of IP addresses are unused at any given time. When Nmap tries to send a raw IP packet like an ICMP echo request, the OS must determine the destination hardware (ARP) address like the target IP in order that it can address the ethernet frame properly. this needs it to issue a series of ARP requests. this is often shown in Example , where a ping scan is attempted against an area ethernet host. The –send-ip option tells Nmap to send IP level packets (rather than raw ethernet) albeit it’s an area network. Wireshark output of the three ARP requests and their timing has been pasted into the session.

Example a Raw IP ping scan of an offline target

This example took quite two seconds to end because the (Linux) OS sent three ARP requests, one second apart, before abandoning on the host. as long as ARP replies usually come within a few milliseconds, multi-second waits are excessive. Decreasing this timeout period is not any priority for OS vendors because the overwhelming majority of packets are sent to hosts that really exist. Nmap, on the opposite hand, must send packets to 16 million IPs when given a target like A two second await each becomes an enormous delay albeit many targets are pinged in parallel.

There is another problem with raw IP ping scans on LANs. When a destination host is found to be unresponsive as within the previous example, the source host generally adds an incomplete entry for that destination IP in its kernel ARP table. ARP table space is finite, and a few operating systems react badly when it fills up. When Nmap is employed in raw IP mode (–send-ip), Nmap sometimes has got to wait several minutes for ARP cache entries to expire before it can continue with host discovery.

ARP scanning resolves both problems by putting Nmap on top of things . Nmap issues the raw ARP requests and handles retransmission and timeout periods at its own discretion. The system ARP cache is bypassed. Example shows the difference. This ARP scan takes just over a tenth of the time taken by its IP equivalent.

Example b ARP ping scan of an offline target

In Example b, neither the -PR or –send-eth options have any effect. this is often because ARP is that the default scan type when scanning ethernet hosts that Nmap detects are on an area ethernet network. This includes traditional wired ethernet also as 802.11 wireless networks. Not only is ARP scanning more efficient as discussed above, it’s also more accurate. Hosts frequently block IP-based ping packets, but they typically cannot block ARP requests or responses and still communicate on the network. albeit different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on an equivalent LAN. If you absolutely don’t need to try to to an ARP scan, specify –send-ip as shown in Example a, “Raw IP ping scan of an offline target”.

Giving Nmap control to send raw ethernet frames also allows Nmap to regulate the source MAC address. If you’ve got the sole PowerBook within the room at a security conference and a huge ARP scan is initiated from a MAC address registered to Apple, heads may turn in your direction. you’ll spoof your MAC address with the –spoof-mac option, as discussed within the section called “MAC Address Spoofing”.

2. TCP Maimon sacn

The Maimon scan is known as after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, including this system , was released two issues later. this system is strictly an equivalent as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. consistent with RFC 793 (TCP), a RST packet should be generated in response to such a search whether the port is open or closed. However, Uriel noticed that a lot of BSD-derived systems simply drop the packet if the port is open. Nmap takes advantage of this to work out open ports, as shown in

How Nmap interprets responses to a Maimon scan probe


The Nmap flag for a Maimon scan is -sM. While this feature was quite useful in 1996, modern systems rarely exhibit this bug. They send a RST back for all ports, making every port appear closed. This result’s shown in Example.

A failed Maimon scan


3. ACK flag prob sacn

The ACK scanning method is employed to work out whether the host is protected by some quite filtering system.

In this scanning method, the attacker sends an ACK probe packet with a random sequence number where no response means the port is filtered (a stateful inspection firewall is present during this case); if an RST response comes back, this suggests the port is closed.

Now, let’s undergo this code:


In the preceding code, the flag has been set to ACK, and therefore the destination port is 137.

Now, check the output:

4. UDP scan

UDP scans are slower than TCP scans, but there are many exploitable UDP services that attackers can use, DNS exfiltration, for instance . Defenders got to protect their UDP ports with an equivalent voracity as their TCP ports.

UDP scans work best once you send a selected payload to the target. for instance , if you would like to understand if a DNS server is up, you’d send a DNS request. For other UDP ports, the packet is shipped empty. An ICMP unreachable response means the port is closed or filtered. If there’s a service running, you would possibly get a UDP response, which suggests the port is open. No response could mean that the port is open or filtered.

One more logical use of a UDP scan is to send a DNS request to UDP port 53 and see if you get a DNS reply. If you are doing get a response, you recognize that there’s a DNS server thereon computer. A UDP scan are often useful to scout for active services that way, and therefore the Nmap port scanner is preconfigured to send requests for several standard services.

Learn CEH & Think like hacker

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment