host scan discovery via OSI layer three (network layer)
OSI The third layer of the model is the data link layer, where the protocols that work primarily are IP and ICMP. You can use different IP protocols to send different packages to the target host. You can also use different ICMP requests to determine if the target host is online.
Network layer |
To establish a reply between the communication applications of the computer |
IP , ICMP |
1, ippingScan
principle : The host Discovery principle is similar to the ping command, which is to send a packet to the target host, indicating that the target host is alive if a reply is received.
IP The protocol ping scanning technique is to send different packages to the destination host by using different IP protocols (ICMP: Protocol number 1,IGMP: protocol number 2,TCP: protocol number 6,UDP: protocol number 17). If the source host receives a response, it indicates that the target host is online.
IP protocol Ping Scan syntax format:
>nmap-po [ target ip/target hostname]
Example 1 scans the host 192.168.1.1 through ARP ping to determine if the host is alive (preferably add-sp).
>nmap-po 192.168.1.1
C:\windows\system32>nmap-sp-po 192.168.1.1
starting Nmap 6.47 (http://nmap.org) at 2015-07-0618:48 China Standard Time
Nmap Scan Report for 192.168.1.1
Host is up (0.0010s latency).
MAC address:14:75:90:92:b2:40 (Tp-link Technologiesco.)
Nmap done:1 IP Address (1 host up) scanned in 24.20seconds
2, IcmppingScan
principle : The host Discovery principle is similar to the ping command, which is to send a packet to the target host, indicating that the target host is alive if a reply is received.
ICMP Full name Internet Control Message Protocol. There are several ICMP ping scanning techniques, namely ICMP echo Ping, icmp timestamp ping, ICMP mask ping, which detects if the target host is online by sending an ICMP echo packet to the target host.
ICMP Echo Ping Scan Syntax Format:
>nmap-sp-pe [ target ip/target hostname]
Example 1 scans host 192.168.1.1 with ICMP Echo ping to determine if the host is alive (preferably add-sp).
>nmap-sp-pe 192.168.1.1
C:\windows\system32>nmap-sp-pe 192.168.1.102
starting Nmap 6.47 (http://nmap.org) at 2015-07-0623:39 China Standard Time
Note:host seems down. If It is really up, but Blockingour ping probes, TRY-PN
Nmap done:1 IP Address (0 hosts up) scanned in 13.71seconds
From above we can see the router scan, the route will be the ICMP echo packet is lost
ICMP Timestamp ping Scan syntax format:
>nmap-sp-pp [ target ip/target hostname]
Example 2 pings the host 192.168.1.1 with the ICMP timestamp to determine if the host is alive (preferably add-sp).
>NMAP-SP-PP 192.168.1.1
C:\windows\system32>nmap-sp-pe 192.168.1.1
starting Nmap 6.47 (http://nmap.org) at 2015-07-0623:45 China Standard Time
Nmap Scan Report for 192.168.1.1
Host is up (0.00s latency).
MAC address:14:75:90:92:b2:40 (Tp-link Technologiesco.)
Nmap done:1 IP Address (1 host up) scanned in 24.31seconds
ICMP Mask Ping Scan syntax format:
>nmap-sp-pm [ target ip/target hostname]
Example 3 uses the ICMP mask ping to scan the host 192.168.1.1 to determine if the host is alive (preferably add-sp).
>NMAP-SP-PM 192.168.1.1
C:\WINDOWS\SYSTEM32>NMAP-SP-PM 192.168.1.1
starting Nmap 6.47 (http://nmap.org) at 2015-07-0715:23 China Standard Time
Nmap Scan Report for 192.168.1.1
Host is up (0.0030s latency).
MAC address:14:75:90:92:b2:40 (Tp-link Technologiesco.)
Nmap done:1 IP Address (1 host up) scanned in 24.23seconds
This article from "Technology bo" blog, declined reprint!
Nmap Series D------OSI three-layer scanning