Modern home and small business networks are not the simple things they once were with only a handful of devices on them. Between the Internet of Things (IoT), streaming video devices, microcomputers such as the Raspberry Pi, and phones/tablets, you can expect your network to contain dozens of utilized IP addresses.

If you want to have a good security posture on your network, having a good understanding of what exists is critical. If you do not understand what exists, then you cannot understand what should not be there. This could mean an unpatched system that you forgot about, or it could mean an intruder on your network.

In this chapter, we will be talking about some of the various steps you can take in order to better inventory your network and what tools you should use in order to do it.

If you have heard of nmap before, it was likely as a hacker tool. These days it is most commonly used as a port scanner, but it actually started its life as a network-mapping tool for discovering hosts. In fact, nmap stands for Network Mapper. It can utilize ICMP, UDP, and TCP.

Let us look at how to utilize it to discover what systems exist on your network.

# nmap -sP 10.0.0.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-03 15:43 EDT
Nmap scan report for 10.0.0.1
Host is up (0.00053s latency).
MAC Address: 52:54:00:65:7D:0A (QEMU Virtual NIC)
Nmap scan report for 10.0.0.10
Host is up.
Nmap done:...

Some systems choose to block the ICMP traffic, which can result in them not appearing in a ping scan. Any system on your local network, however, must respond to ARP requests if they are going to communicate with additional machines on the network. This gives you an additional option for system enumeration when you are on the local network segment.

$ sudo apt-get install arp-scan

$ sudo arp-scan  192.168.1.0/24
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1    44:d9:e7:9b:a2:9d    (Unknown)
192.168.1.2    40:8d:5c:4b:85:d9    (Unknown)
192.168.1...

Now that we have identified which systems exist, we can look at what services exist on those hosts. We will start with TCP services, since they are much easier to understand the results for.

There are a number of different types of TCP scans, but we are going to look at the two most common ones, the Connect scan and the SYN scan.

$ nmap -sT 10.0.0.10

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-06 15:14 EDT
Nmap scan report for 10.0.0.10
Host is up (0.0016s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address...

It is very easy to read the results of a TCP scan due to its stateful nature. A SYN packet will always be answered with a FIN if the port is closed or a SYN/ACK if the port is opened. The lack of a response means that either the request or its response was filtered.

UDP is not so easy, due to it being stateless. A UDP packet to a closed port will result in an ICMP Destination Port Unreachable message. A filtered UDP packet will result in no response. The tricky part is that the behavior when something is listening to the port is application specific. Since there is no initial handshake, the application simply receives the data and then either responds or not depending on the application's requirements. If the application does not respond, it will look just like a filtered port.

Another useful piece of functionality that nmap provides is the ability to identify services by attempting to grab application banners or issue various types of known requests and determine the service based upon how it responds.

$ nmap 10.0.0.10 -sV

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-08 16:15 EDT
Nmap scan report for 10.0.0.10
Host is up (0.0016s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     (protocol 2.0)
25/tcp  open  smtp    Postfix smtpd
53/tcp  open  domain
80/tcp  open  http    Apache httpd 2.4.7 ((Ubuntu))
111/tcp open  rpcbind 2-4 (RPC #100000)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=5/8%Time=572F9E4A%P=x86_64-pc-linux-gnu%r(NULL,
SF:2B,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2...

In addition to identifying services running on servers, nmap can additionally attempt to identify the Operating System running on a particular system. This type of scan typically requires at least one open and one closed port to be reached.

$ sudo nmap -n -O 192.168.1.205 -p 22,80
Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-20 17:57 EDT
Nmap scan report for 192.168.1.205
Host is up (0.013s latency).
PORT   STATE  SERVICE
22/tcp closed ssh
80/tcp open   http
MAC Address: 74:DA:EA:F3:FF:07 (Unknown)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds