An IP Protocol scan is useful for determining what communication protocols are being used by a host. This information serves different purposes, including packet filtering testing and remote operating system fingerprinting.
This recipe shows how to use Nmap to enumerate all of the IP protocols supported by a host.
Open a terminal and type the following command:
$nmap -sO <target>
The results will show what protocols are supported, along with their states.
# nmap -sO 192.168.1.254 Nmap scan report for 192.168.1.254 Host is up (0.0021s latency). Not shown: 253 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmp 6 open tcp 132 closed sctp MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
The flag -sO tells Nmap to perform an IP Protocol Scan. This type of scan iterates through the protocols found in the file nmap-protocols, and creates IP packets for every entry. For the IP protocols TCP, ICMP, UDP, IGMP, and SCTP, Nmap will set valid header values but for the rest, an empty IP packet will be used.
To determine the protocol state, Nmap classifies the different responses received, as follows:
- If it receives an ICMP protocol unreachable error type 3 code 2, the protocol is marked as closed
- ICMP unreachable errors type 3 code 1,3,9,10 or 13 indicate that a protocol is filtered
- If no response is received, the protocol is marked as
filtered|open - Any other response will cause the protocol to be marked as opened
To specify what protocols should be scanned, we could set the argument -p:
$nmap -p1,3,5 -sO <target> $nmap -p1-10 -sO <target>
- The Fingerprinting the operating system of a host recipe
- The Discovering hostnames pointing to the same IP address recipe
- The Matching services with known security vulnerabilities recipe
- The Spoofing the origin IP of a port scan recipe
- The Brute forcing DNS records recipe
- The Discovering stateful firewalls with a TCP ACK scan recipe
- The Discovering UDP services recipe