2

When doing a network scan using for example NMAP with its "-A" option, what layer of the OSI model does it work on?

For reference, this is the description of the "-A" option: -A : "Enable OS detection, version detection, script scanning, and traceroute"

3 Answers3

3

The OSI model is a theoretical model with 7 layers; there are lots of resources out there describing which layers map to actual protocol layers in various network stacks, so I won't get into that. Instead, I'll give you the breakdown of what happens at each layer of the TCP/IP stack, which has 5 layers.

  1. Physical layer. Nmap unavoidably uses this layer, though it is not usually concerned with it. It doesn't matter if you are using Cat 5 cable, 2.4 GHz radio, or coaxial cable—you can't use a network without having a physical layer. Nmap has no idea what it is, either; the firmware in your network card handles that.
  2. Data link layer. Here again, Nmap has to use this layer or nothing gets sent to the destination. But there are some cases where Nmap is aware of what layer-2 protocols are in use. These all require root privileges to work:
    • On Windows, Nmap can't send raw IP packets (more on this in the next layer), so it falls back to sending raw Ethernet (layer 2) frames instead. This means that it can only work on Ethernet-like data links—WiFi is fine, but PPTP doesn't work.
    • There are some NSE scripts that probe layer-2 protocols: lltd-discovery, broadcast-ospf2-discovery, sniffer-detect, etc.
    • If the target is on the same data link, Nmap will use ARP to determine if the IP address is responsive. It will then report the MAC address of the target. For IPv6 targets, Neighbor Discovery packets are used instead.
  3. Network layer. Nmap supports both IPv4 and IPv6 network layer protocols. For port scans (except -sT TCP Connect scan), Nmap builds the network packet itself and sends it out directly, bypassing the OS's network stack. This is also where --traceroute happens, by sending packets with varying small Time To Live (TTL) values to determine the address where each one expires. Finally, part of the input into OS detection comes from the network layer: initial TTL values, IP ID analysis, ICMP handling, etc.
  4. Transport layer. This is where the "port scanner" core of Nmap works. A port is a transport layer address; some of them may be used by services on the target ("open" ports), and others may be unused ("closed" ports). Nmap can scan 3 different transport layers protocols: TCP, UDP, and SCTP. The majority of inputs to OS detection come from here: TCP options, sequence number analysis, window size, etc.
  5. Application layer. This is where version detection (-sV) takes over, sending various strings of data (probes) to open services to get them to respond in unique ways. SSL/TLS is handled specially, since other services may be layered over it (in which case it provides something like an OSI Session Layer). This is also where the vast majority of NSE scripts do their work, probing services like HTTP, FTP, SSH, RDP, and SMB.
bonsaiviking
  • 5,825
  • 1
  • 20
  • 35
  • Thanks for the detailed description! This answers my question very well. –  Nov 13 '17 at 16:27
  • read about this "If the target is on the same data link, Nmap will use ARP to determine if the IP address is responsive.". Does it mean you need to run sudo with nmap to do that since it's data-link layer? – Alvin Smith May 29 '21 at 22:22
  • @AlvinSmith Yes, presuming you are not on Windows. Windows requires Npcap driver to be installed instead for that feature. – bonsaiviking Jun 01 '21 at 16:47
  • Thanks for replying. I run vms on VMware. But I can run `nmap -sn 192.168.1.0/24` on one machine without sudo. It is not a problem for me. It just seems it shouldn't be. – Alvin Smith Jun 02 '21 at 21:54
  • 1
    @AlvinSmith Nmap requires root or Npcap to use ARP for host discovery, but it will use other methods if it does not have sufficient privileges. Add -vv or -d to your scan to see what Nmap is doing and why it decided the target addresses are up. – bonsaiviking Jun 03 '21 at 16:48
0

All of them? If you're asking for some sort of course, I'll leave it to you to turn this into something that answers your questions and instead focus on thinking about what's going on.

  • Obviously layer 1 packets are sent, but nmap isn't really aware of them

  • When on the same local network, nmap pays attention to MAC addresses and ARP. This helps with vendor detection, as well as giving you network distance information

  • layer 3 (network layer) is used for sending packets, for detecting whether the host is up.

  • the transport layer (layer 4) is used for things like SYN scans, and to detect which ports are open. Sequence number detection, which happens at layer 4 is important to OS detection.

  • Mapping OSI layers 5 and 6 session and the one I can never remember to the TCP/IP protocol stack is complex. I leave that to a long paper I'm not going to write.

  • layer 7(application) is involved in the scripts and in doing things like collecting info about websites. If you think HTTP is layer 6 rather than 7 (a valid world model), then some of that happens at layer 6.

As you can see, this really isn't very clear.

Sam Hartman
  • 6,210
  • 3
  • 23
  • 40
0

The -A option seems to do a few things. Since it seems to be doing TCP/UDP port detection as well as traceroute (which is ICMP) (see man nmap for more info), I would say that includes the Transport Layer as well as the Network Layer. As it seems to be checking versions of server software running, there's a good chance it's also on the Application Layer.

greymouser
  • 3,133
  • 19
  • 22