Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 3: Discovery Options
Overview
Before port scanning a target, Nmap will attempt to send ICMP echo requests to see if the host is “alive.” This can save time when scanning multiple hosts as Nmap will not waste time attempting to probe hosts that are not online. Because ICMP requests are often blocked by firewalls, Nmap will also check TCP ports 80 and 443 since these common web server ports are often open (even if ICMP is not).
The default discovery options aren’t always useful when scanning secured systems. The following section describes alternative methods for host discovery that allow you to perform custom discovery pings when looking for available targets.
Summary of features covered in this section:
-Pn (formerly –PN)
Don’t Ping
-sn (formerly -sP)
Perform a Ping Only Scan
-PS
TCP SYN Ping
-PA
TCP ACK Ping
-PU
UDP Ping
-PE
ICMP Echo Ping
-PP
ICMP Timestamp Ping
-PM
ICMP Address Mask Ping
-PO
IP Protocol Ping
-PR
ARP Ping
--traceroute
Traceroute
-n
Disable Reverse DNS Resolution
--system-dns
Alternative DNS Lookup
--dns-servers
Manually Specify DNS Server(s)
-sL
Create a Host List
Don’t Ping
By default, before Nmap attempts to scan a system for open ports it will first ping the target to see if it is online. This feature helps save time when scanning as it causes targets that do not respond to be skipped.
$ nmap 10.10.5.139
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:06 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
Results of an Nmap scan where the target system is not pingable
In the above example the specified target is not scanned because it does not respond to Nmap’s pings. The -Pn option instructs Nmap to skip the default discovery check and perform a complete port scan on the target. This is useful when scanning systems that are protected by a firewall that blocks ping probes.
Usage syntax: nmap -Pn [target]
$ nmap -Pn 10.10.5.139
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:07 CST
Nmap scan report for 10.10.5.139
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
5800/tcp open vnc-http
5900/tcp open vnc
Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds
Output of a Nmap scan with ping discovery disabled
By specifying the -Pn option on the same target, Nmap is able to produce a list of open ports on the un-pingable system.
Note: The -Pn option was -PN in Nmap version 5 and earlier. It was renamed for consistency.
Ping Only Scan
The -sn option is used to perform a simple ping of the specified target (without scanning any ports).
Usage syntax: nmap -sn [target]
$ nmap -sn 192.168.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:12 CST
Nmap scan report for 192.168.1.1
Host is up (0.0017s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0011s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.101
Host is up (0.010s latency).
Nmap scan report for 192.168.1.105
Host is up (0.0011s latency).
Nmap scan report for 192.168.1.109
Host is up (0.0011s latency).
Nmap scan report for 192.168.1.111
Host is up (0.000066s latency).
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.32 seconds
Output of a ping only scan
The -sn option is useful when you want to perform a quick search of the target network to see which hosts are online without actually scanning the systems for open ports. In the above example, all valid addresses in the 192.168.1.0/24 subnet are pinged and results from responding hosts are displayed.
When scanning a local network, you can execute Nmap with root privileges for additional ping functionality. When doing this, the -sn option will perform an ARP ping and return the MAC addresses of the discovered system(s).
Note: This is the default behavior on Windows systems.
$ sudo nmap -sn 192.168.1.0/24
[sudo] password for nick: ******
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 20:14 CST
Nmap scan report for 192.168.1.1
Host is up (0.00075s latency).
MAC Address: 6C:70:9F:D6:2D:94 (Apple)
[...]
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.80 seconds
Output of a ping only scan (as root)
Note: The -sn option was -sP in Nmap version 5 and earlier. It was renamed for consistency.
TCP SYN Ping
The -PS option performs a TCP SYN ping.
Usage syntax: nmap -PS[port1,port1,etc] [target]
# nmap -PS 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:14 CST
Nmap scan report for 10.10.3.1
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Performing a TCP SYN ping
The -PS options sends an SYN packet to the target system and listens for a response. A SYN packet is the first part of what's known as a TCP three-way handshake. Any system with an open or unfiltered TCP port will respond to this type of probe. This alternative discovery method is useful for systems that are configured to block standard ICMP pings.
Note: The default port for -PS is 80, but others can be specified using the following syntax: nmap -PS22,25,80,443,etc. This can be useful for trying to solicit a response from a system that is filtering port 80.
TCP ACK Ping
The -PA performs a TCP ACK ping on the specified target.
Usage syntax: nmap -PA[port1,port1,etc] [target]
$ nmap -PA 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:15 CST
Nmap scan report for 10.10.3.1
Host is up (0.055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Performing a TCP ACK ping
The -PA option causes Nmap to send TCP ACK packets to the specified hosts. This method attempts to discover hosts by appearing to respond to TCP connections that don’t actually exist in an attempt to solicit a response from the target. Like other ping options, it is useful in situations where standard ICMP pings are blocked.
Note: The default port for -PA is 80, but others can be specified using the following syntax: nmap -PA22,25,80,443,etc.
UDP Ping
The -PU option performs a UDP ping on the target system.
Usage syntax: nmap -PU[port1,port1,etc] [target]
# nmap -PU 10.10.4.59
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:18 CST
Nmap scan report for 10.10.4.59
Host is up (0.0023s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
161/tcp open snmp
515/tcp open printer
9100/tcp open jetdirect
9200/tcp open wap-wsp
Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds
Performing a UDP ping
This discovery method sends UDP packets in an attempt to solicit a response from a target. While most firewalled systems will block this type of connection, some poorly configured systems may allow it if they are only configured to filter TCP connections.
Note: The default port for -PU is 40125. Others can be specified by using the following syntax: nmap -PU22,25,80,443,etc.
ICMP Echo Ping
The -PE option performs an ICMP (Internet Control Message Protocol) echo ping on the specified system.
Usage syntax: nmap -PE [target]
# nmap -PE 10.10.4.59
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:23 CST
Nmap scan report for 10.10.4.59
Host is up (0.0028s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
161/tcp open snmp
515/tcp open printer
9100/tcp open jetdirect
9200/tcp open wap-wsp
Nmap done: 1 IP address (1 host up) scanned in 3.53 seconds
Performing an ICMP echo ping
The -PE option sends a standard ICMP ping to the target to see if it replies. This type of discovery works best on local networks where ICMP packets can be transmitted with few restrictions. Many internet hosts, however, are configured not to respond to ICMP packets for security reasons.
Note: The -PE option is automatically implied if no other ping options are specified.
ICMP Timestamp Ping
The -PP option performs an ICMP timestamp ping.
Usage syntax: nmap -PP [target]
# nmap -PP 10.10.4.59
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:24 CST
Nmap scan report for 10.10.4.59
Host is up (0.0029s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
161/tcp open snmp
515/tcp open printer
9100/tcp open jetdirect
9200/tcp open wap-wsp
Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds
Performing an ICMP timestamp ping
While most firewalled systems are configured to block ICMP echo requests, some improperly configured systems may still reply to ICMP timestamp requests. This makes the -PP option useful when attempting to solicit responses from firewalled targets.
ICMP Address Mask Ping
The -PM option performs an ICMP address mask ping.
Usage syntax: nmap -PM [target]
# nmap -PM 10.10.4.59
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:25 CST
Nmap scan report for 10.10.4.59
Host is up (0.0036s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
161/tcp open snmp
515/tcp open printer
9100/tcp open jetdirect
9200/tcp open wap-wsp
Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds
Performing an ICMP address mask ping
This unconventional ICMP query (similar to the -PP option) attempts to ping the specified host using alternative ICMP registers. This type of ping can occasionally sneak past a firewall that is configured to only block standard echo requests.
IP Protocol Ping
The -PO option performs an IP protocol ping.
Usage syntax: nmap -PO[protocol1,protocol2,etc] [target]
# nmap -PO1 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 10:28 CST
Nmap scan report for 10.10.3.1
Host is up (0.14s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 17.74 seconds
Performing an IP protocol ping
An IP protocol ping sends packets with the specified protocol to the target. If no protocols are specified, the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP) are used. To ping using a custom set of protocols, use nmap -PO1,2,4,etc. This type of ping can sometimes get a target to respond with ICMP unreachable messages if the type of protocol used is not supported.
Note: A complete list of Internet Protocol numbers can be found online at iana.org/assignments/protocol-numbers.
ARP Ping
The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target.
Usage syntax: nmap -PR [target]
# nmap -PR 10.10.4.59
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-14 15:31 CST
Nmap scan report for 10.10.4.59
Host is up (0.0077s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
161/tcp open snmp
515/tcp open printer
9100/tcp open jetdirect
9200/tcp open wap-wsp
MAC Address: 00:10:40:57:80:17 (Intermec)
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
Performing an ARP ping
The -PR option is automatically implied when scanning the local network with root access. This type of discovery is much faster than the other ping methods described in this guide. It also has the added benefit of being more accurate because LAN hosts can’t block ARP requests (even if they are running a firewall) since it is an essential feature of ethernet networks. As shown above, the ARP ping will also display the MAC address of the target system.
Note: ARP scans cannot be performed on targets that are not on your local subnet. On Linux systems you must use root privileges for ARP scans to work properly. The -PR option is technically redundant because it is the default type of ping on LANs. Interestingly, Nmap will silently override all other discovery options when scanning the local network. If you really want to experiment with the other discovery options on a LAN you must use the --disable-arp-ping option.
Traceroute
The --traceroute parameter can be used to trace the network path to the specified host.
Usage syntax: nmap --traceroute [target]
# nmap --traceroute scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 20:47 CST
[...]
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 5.00 ms 192.168.1.1
2 14.00 ms 10.33.112.1
3 14.00 ms 70.183.70.198
4 25.00 ms 70.183.71.104
5 24.00 ms 70.183.71.104
6 43.00 ms wichsysr02.rd.ks.cox.net (70.183.71.8)
7 54.00 ms 68.1.2.109
8 39.00 ms v209.core1.dal1.he.net (184.105.16.77)
9 91.00 ms 10ge9-1.core3.fmt2.he.net (72.52.92.153)
10 85.00 ms router4-fmt.linode.com (64.71.132.138)
11 82.00 ms scanme.nmap.org (74.207.244.221)
Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds
Output of a traceroute scan
The --traceroute option performs a trace of routes used to reach the specified target. Each router or "HOP" along the way is displayed along with the round trip time (RTT). Nmap will also attempt to perform a reverse DNS lookup and display any responses, which can reveal interesting information about the routers between you and the destination.
The information displayed is similar to the traceroute or tracepath commands found on Unix and Linux systems (Windows uses tracert). Nmap has the added bonus of its tracing being functionally superior to these commands because it is generally much faster and more accurate than other route tracing programs.
Disable Reverse DNS Resolution
The -n parameter is used to disable reverse DNS lookups.
Usage syntax: nmap -n [target]
$ nmap -n 74.207.244.221
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 09:36 CST
Nmap scan report for 74.207.244.221
Host is up (0.059s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
Output of an Nmap scan with reverse DNS disabled
Reverse DNS can significantly slow the performance of an Nmap scan. Using the -n option can greatly reduce scanning times – especially when scanning a large number of hosts. This option is useful if you don’t care about the DNS information for the target system and prefer to perform a scan that produces faster results. In the example above, the -n option prevents Nmap from attempting to resolve the specified IP address.
Alternative DNS Lookup Method
The --system-dns option instructs Nmap to use the host system’s DNS resolver instead of its own internal method.
Usage syntax: nmap --system-dns [target]
# nmap --system-dns scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:07 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds
Output of an Nmap scan using the system DNS resolver
This option is rarely used because it is much slower than the default method. It can, however, be useful when troubleshooting DNS problems with Nmap.
Note: The system resolver is always used for IPv6 scans.
Manually Specify DNS Server(s)
The --dns-servers option is used to manually specify DNS servers to be queried when scanning.
Usage syntax: nmap --dns-servers [server1,server2,etc] [target]
# nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:08 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.43s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
Manually specifying DNS servers
Nmap’s default behavior will use the DNS servers configured on your local system for name resolution. The --dns-servers option allows you to specify one or more alternative servers for Nmap to query. This can be useful for systems that do not have DNS configured or if you want to prevent your scan lookups from appearing in your locally configured DNS server’s log file.
Create a Host List
The -sL option performs a reverse DNS lookup of the specified IP addresses.
Usage syntax: nmap -sL [target]
$ nmap -sL 8.8.4.4 8.8.8.8 74.207.244.221
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 10:47 CST
Nmap scan report for google-public-dns-b.google.com (8.8.4.4)
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Nmap scan report for scanme.nmap.org (74.207.244.221)
Nmap done: 3 IP addresses (0 hosts up) scanned in 0.00 seconds
Output of a host list generated by Nmap
The -sL scan does not send any packets to the target systems. Instead, it performs a reverse DNS lookup of the specified IP addresses. The above scan shows the results of the reverse lookup for the specified systems. Many DNS names can reveal interesting information about an IP address, including what it’s used for or where it is located.