NMAP Subnet Scan

I had to perform a subnet scan for a client and unfortunately, they did not have any tools, so I suggested using NMAP (www.nmap.org).

For those of you who are unfamiliar with NMAP, you can perform a subnet scan using any of the 3 following options, subnet/mask, IP address range, IP address and * wildcard. For example, on my network it would look like something like this; 10.44.10.0/24 or 10.44.10.1-254 or 10.44.10.*

As I was performing the scan, I was explaining that you should always ‘know your tool’ by simply performing a packet capture. I went on to say that all you have to do is start, stop and save your capture with a descriptive name. So even if you did not have time to go through it now, or go through it thoroughly, its there for future reference.

In this video I should you some of the NMAP behavior we spotted. First thing we noticed was that NMAP performed a discovery using an ARP scan, then it used DNS reverse name lookup to determine the host names. This is where we go down a bit of a rabbit hole. I noticed that my computer was communicating with the correct DNS servers, but then went off and communicated with 2 other IP addresses.

In the video I show you how I figured it out and then how NMAP used the same TCP return port number for its port scans.