You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!List Scan (-sL)
Requires Privileged Access: NO
Identifies TCP Ports: NO
Identifies UDP Ports: NO
The list scan isn't really a scan, but it does provide nmap with some troubleshooting and testing capabilities. The list scan simply lists the IP addresses that would normally be actively scanned.
List Scan Operation
The list scan doesn't ping the host names, and it doesn't send a TCP ACK to the default port number. If reverse DNS resolution is disabled with –n, the list scan is completely silent on the network, with no frames transmitted or received.
By default, nmap will perform a reverse DNS lookup on every IP address in the scan. If the –n option isn't specified, this list scan will send traffic over the network and query the DNS server each time an IP address is listed!
The list scan output shows this lack of activity by identifying the IP address as "not scanned:"
# nmap -sL -v 192.168.0.10 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 13:12 EDT Host 192.168.0.10 not scanned Nmap finished: 1 IP address (0 hosts up) scanned in 0.255 seconds #
The list scan is a good method to sanity-check a complex nmap scan prior to starting a large batch process or a large group of IP addresses. If any of the IP addresses are defined incorrectly on the command line or the option file, the list scan will identify the errors. These problems can be identified and repaired prior to running any "live" scans.
Disadvantages of the List Scan
The list scan isn't really an active scan. It doesn't show availability, it doesn't find any ports, and it doesn't directly connect with an end device.
The list scan doesn't run at the command line with any other scan type. If another scan type is included on with the list scan, an error message will be displayed:
Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types. QUITTING!
When to use the List Scan
At first glance, the list scan doesn't appear to be very helpful. What good is a scanning tool that doesn't actually scan anything?
The list scan is often used as a sanity check when a complex scan is defined. If a separate application provides nmap with a list of IP addresses, it may be helpful to have nmap step through a dry-run prior to starting the "production" scan process. For large network audits, this process could be the difference in a successful scan and hours of wasted time!
The list scan is also a useful tool to run "what if" scans. Nmap allows many different IP address options that include randomization, abbreviated subnet mask notation, wildcards, and address ranges. The list scan will confirm the scan process prior to an actual scan.
The list scan implements a reverse DNS lookup for every host specified in the list scan. This means that nmap can be fed a list of IP addresses, and nmap will automatically use the default DNS server to convert the IP addresses to names. This makes it easy to find interesting device names!
If the list scan is being used as a "dry run" prior to a large scan, be sure to use the universal output format (-oA) to keep a record of the scan. If something about the scan didn't operate properly, this output can be checked for syntax and errors.