0

I'm studying up on using Nmap, and there is a command that sweeps the network with a simple Ping scan to determine which hosts are online.

The command is this:

 1 [ignore_this]# nmap -sP 10.0.0.0/24

And the output:

   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
   4 2006-07-14 14:19 BST
   5 Host 10.0.0.1 appears to be up.
   6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
   7 Host 10.0.0.2 appears to be up.
   8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
   9 Host 10.0.0.4 appears to be up.
  10 Host 10.0.0.5 appears to be up.
  11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
  12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds

And I'm a littl confused... the command is nmap -sP 10.0.0.0/24. To my (basic) knowledge in networking, this is just a class A ip address, except the /24 at the end is the subnet mask. Why is he including the subnet mask?

Sorry if I'm a little mis-informed and don't understand the topic very well, but I have no clue at all why the /24 is there. Personally I've never used a subnet, I'm not to familiar with it. The most I've ever done with subnetting is write it out on paper and found out what the host portions/networking and broadcasts parts were. I've never actually used subnetting in a computer, I didn't even know you could essentialy ping an ip address with the /24...

If anyone knows

  1. Where did he get this from?
  2. Why did he include it...
  3. A little more on how it works...
Tim
  • 3,017
  • 17
  • 15
Gabriel
  • 101
  • 1
  • 4
  • 3
    There is no such thing as a class A network any more. That's a history lesson now. – MDMarra Apr 13 '12 at 17:24
  • [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) – user9517 Apr 13 '12 at 17:28
  • If you have a teacher who has even mentioned the "Classes" outside of a History lesson, he should be fired. The classes were replaced by CIDR in 1993. They were a dark page in IP history that is better forgotten at this point. – Chris S Apr 13 '12 at 19:15

2 Answers2

4

Even though 10.0.0.0 is defined as a Class-A network, you can still define smaller networks inside it.

So 10.0.0.0/24 is used to define a smaller network ranging from 10.0.0.0 to 10.0.0.255. As example, /23 could also have been used to define a network ranging form 10.0.0.0 to 10.0.1.255, etc.

I would suggest you look into the CIDR calculator at the following URL (http://www.subnet-calculator.com/cidr.php)

As a side note, in your command, you are not asking NMAP to ping an IP... you are asking that he scan a defined range. You could also point it toward a single IP, but NMAP will most likely translate it as $ip/32.

CloudWeavers
  • 2,531
  • 1
  • 15
  • 17
3

Nmap allows all sorts of target specifications. To scan more than one machine at a time, you could use a list of IP addresses, hostnames, a network in CIDR notation like your example, or a range like 10.0.0.0-255, which is equivalent to your example. Internally, Nmap separates all the targets specified into individual addresses and sends probes to each one.

The -sP argument (in later releases renamed to -sn to mean "skip the portscan") instructs Nmap to do host discovery, which it does in many different ways. If you run it with root privileges, it sends an ICMP echo request ("ping"), a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. If any of these probes receive a response, the host is up. Unprivileged scans attempt a TCP connection to port 80 and port 443, looking for any response but a timeout.

Regarding the 10.0.0.0 network, RFC 1918 reserves 10.0.0.0/8 (a "class-A" network) for private use, but that private use can involve subnetting it or only using a small portion of the space. In practice, very few organizations need the >16M addresses in the /8, but it is an easier address space to remember than 172.16.0.0/12 or 192.168.0.0/16, and so it gets used in tutorials a lot.

Community
  • 1
bonsaiviking
  • 4,420
  • 17
  • 26