In this Nmap tutorial, we are going to learn everything about Nmap host discovery flags, how and when to use them [with examples]. I highly recommend you to open a terminal and follow up on this guide by practice.
If you don’t have Nmap installed on your machine yet, here is a step-by-step guide on how to install Nmap on Windows, macOS, Linux, and FreeBSD.
If you plan to practice this NMAP tutorial on your computer, I highly recommend you stay away from picking random targets on the Internet to scan – you can get in serious trouble unless you know what you’re doing.
Instead, consider setting up your own Virtual Hacking Lab here absolutely free.
I very much dislike long intros, so let’s get to work.
What Are NMAP Host Discovery Flags?
What should be the first thing to do to see if a host is alive in a network? That’s right, Ping it! And that’s precisely what Nmap will do by default when scanning a target.
It makes perfect sense, right? As for why would Nmap try to scan e.g., 1000 ports x 10 hosts before even probing if those hosts are alive?
Nmap will start a scan by attempting to send ICMP echo requests [Ping] to a host to see if the host replies. This is particularly relevant when scanning multiple IPs and we’re looking to filter out the offline hosts.
But wait, we have a problem!…
Often, the ICMP requests are blocked by firewalls for security reasons. So Nmap will consequently try to probe the 80 and 443 ports [used by web servers] which are usually open – even if the ICMP test fails.
When scanning a hardened system, the default nmap + IP command can be quite ineffective.
To fix that, specific Nmap discovery flags can be used to find vulnerabilities in an apparently secured system.
NOTE: Executing the Nmap commands in this guide with root privileges will invoke ARP and provide the MAC address of the target system as well.
Table 1.1 shows the complete list of Nmap discovery flags which we will explore in this post.
|Nmap Host Discovery Method||Nmap Host Discovery Flag|
|Skip Host Discovery||-Pn|
|Ping Scan Only||-sn|
|TCP ACK Ping||-PA|
|TCP SYN Ping||-PS|
|ICMP Echo Ping||-PE|
|IP Protocol Ping||-PO|
|ICMP Timestamp Ping||-PP|
|ICMP Address Mask Ping||-PM|
|SCTP INIT Ping||-PY|
|Force Reverse DNS Resolution||-R|
|Disable Reverse DNS Resolution||-n|
|Create a Host List||-sL|
|Alternative DNS Lookup||–system-dns|
|Manually Specify DNS Server||–dns-servers|
NMAP Skip Host Discovery
Syntax: nmap -Pn [Target]
Description: Host discovery will be disabled. All addresses will be marked as ‘up’ and scan times will increase.
By default, before scanning a device for open ports, Nmap will ping a target to see if it is up. As we already discussed, skipping offline targets saves time when performing a scan.
In Figure 1.1 below I am scanning a Windows 10 machine in my network that I know is up and running. Pay attention to the Nmap scan result and the -Pn [no ping] flag suggesting.
In the above example, the target ports are not scanned as the host fails to respond to Nmap’s ICMP requests [Ping].
To bypass host discovery and proceed with port scanning directly we can use the -Pn flag [treat host as online] as seen in Figure 1.2 below.
Even if the initial Nmap scan result showed “Host is down” [Figure 1.1], by running the Nmap scan with the -Pn [no ping] flag we were able to successfully scan 1000 common ports on the machine and find the 5357 TCP port open [Figure 1.2].
The -Pn flag can produce a list of open ports on a system that blocks ICMP [Ping] requests.
NMAP Ping Scan Only
Syntax: nmap -sn [Target]
Description: Perform a Ping scan only and disable port scan for the target machine.
Nmap’s Ping Scan Only method can be useful when we want to perform a quick scan of a network for hosts that are alive without scanning their ports [Figure 1.3].
In Figure 1.3 we ask Nmap to scan all 254 addresses in the 172.16.121.0 subnet resulting in Nmap discovering two hosts that are up [172.16.121.2 and 172.16.121.129].
NOTE: Run Nmap with root privileges for additional ping functionality such as ARP to find the MAC addresses of discovered hosts as seen in Figure 1.4
NMAP TCP ACK Ping
Syntax: nmap -PA[Port1,Port2,Port3,etc] [Target]
Description: Perform a TCP ACK ping on a specified target.
The Nmap TCP ACK Ping method is an alternative method used on systems that are configured to block ICMP echo requests. The TCP ACK ping scan is used to find whether or not a host is alive [Figure 1.5].
NOTE: ACK [ACKNOWLEDGE] and is part of the TCP “three-way handshake.” When a machine receives an SYN package, an SYN-ACK [ACKNOWLEDGE] is sent back to the initial device. Once the SYN-ACK package is received, the initial device will send back an ACK package to establish a TCP connection.
Nmap uses TCP ACK Ping to identify hosts that block SYN packets or ICMP echo requests. Nmap’s TCP ACK packets are most likely blocked by modern firewalls, which log connection states because it consists of dummy packets containing non-existent connections.
Here’s an example of how Nmap TCP ACK Ping syntax for ports 21, 22, and 80 should look like [comma-separated with no spaces]:
NMAP TCP SYN Ping
Syntax: nmap -PS[Port1,Port2,Port3,etc] [Target]
Description: Perform a TCP ACK ping on a specified target.
NOTE: SYN package, an SYN-ACK [ACKNOWLEDGE] is sent back to the initial device. Once the SYN-ACK package is received, the initial device will send back an ACK package to establish a TCP connection.
Nmap TCP SYN Ping sends SYN packets to a target host and waits for a response. Similar to the TCP ACK Ping, the TCP SYN Ping method aims to discover hosts that block ICMP requests. [Figure 1.6].
Here’s an example of how Nmap TCP SYN Ping syntax for ports 21, 22, and 80 should look like [comma-separated with no spaces]:
NMAP UDP Ping
Syntax: nmap -PU[Port1,Port2,Port3,etc] [Target]
Description: Perform a UDP ping on a specified target.
The Nmap UDP Ping discovery method sends UDP packets and looks for a response from a target machine.
Similar to the previous Nmap TCP SYN and TCP ACK methods, modern firewalls will most likely block UDP Ping requests. However, poorly-secured systems that only filter TCP connections may process UDP pings [Figure 1.7].
NMAP ICMP Echo Ping
Syntax: nmap -PE [Target]
Description: Perform an ICMP echo ping on a specified target.
The Nmap ICMP Echo Ping will send standard ICMP requests to a target host looking for replies.
Most Internet hosts are configured to drop ICMP packages for security reasons. Therefore, the ICMP Echo Ping method is suitable for local networks where ICMP packages are transmitted between hosts with fewer restrictions [Figure 1.8].
NMAP IP Protocol Ping
Syntax: nmap -PO[Protocol1,Protocol2,Protocol3,etc] [Target]
Description: Perform an IP protocol ping on a specified target.
As the name implies, the Nmap IP Protocol Ping sends pings to a target using the specified protocol(s) in the command-line syntax.
When no protocols are specified, Nmap will use by default the ICMP, IGMP, and IP-in-IP protocols [Figure 1.9].
NOTE: A comprehensive list of IP protocols to use can be found on the IANA website HERE.
NMAP ICMP Timestamp Ping
Syntax: nmap -PP [Target]
Description: Perform an ICMP timestamp ping on a specified target.
The Nmap ICMP Timestamp Ping is quite useful when discovering targets protected by firewalls [block ICMP requests] and looking for improperly secured targets that might still process ICMP timestamp requests [Figure 1.10].
NMAP ICMP Address Mask Ping
Syntax: nmap -PM [Target]
Description: Perform an ICMP Address Mask Ping on a specified target.
Nmap ICMP Address Mask Ping uses an alternative ICMP register to ping a specified target. As the previous Nmap discovery methods presented above, the ICMP Address Mask Ping is used to bypass firewalls configured to block standard ICMP echo requests on poorly configured systems [Figure 1.11].
NMAP SCTP INIT Ping
Syntax: nmap -PY[Port1,Port1,Port3,etc] [Target]
Description: Perform a SCTP INIT Ping on a specified target. SCTP is commonly used in IP telephony.
Nmap SCTP INIT Ping is a method that sends SCTP [Stream Control Transmission Protocol] packets and looks for INIT ACK or aborts responses from a specified target [Figure 1.12].
NMAP ARP Ping
Syntax: nmap -PR [Target]
Description: Perform an ARP Ping to find the MAC address on a specified target IP.
As mentioned at the beginning of this post, ARP is automatically invoked by Nmap for every scan run with root privileges.
NOTE: ARP [Address Resolution Protocol] is a protocol used to dynamically map an IP address to a MAC address in a LAN network. Simply said, ARP shows you the MAC address associated with an IP.
The benefit of using the -PR flag instead of leaving Nmap to invoke ARP automatically is that targets in a local network [even if behind a firewall] can’t block ARP requests while other types of Nmap scans can be blocked by firewalls resulting in negative results.
The NMAP ARP Ping method is usually faster than other methods covered in this post, though only useful if scanning targets in a local subnet [directly reachable via layer 2 ethernet or wifi].
Force Reverse DNS Resolution
Syntax: nmap -R [Target]
Description: Perform a forced reverse DNS resolution to specified target IP(s).
When conducting a Force Reverse DNS Resolution scan on an IP or block of IPs, Nmap attempts to reverse DNS details for each IP address – by default.
When using the -R flag on a target IP address, even if the target seems offline or blocking Nmap probes, a forced reverse DNS scan can expose helpful details about the target machine.
Take note that reverse DNS scan takes time especially when applying the -R on a multi-target scan scenario [Figure 1.14].
NMAP Disable Reverse DNS Resolution
Syntax: nmap -n [Target]
Description: This Nmap command is used to disable the DNS lookup in order to increase the performance of a scan.
As seen in Figure 1.14 above, Nmap reverse DNS resolution can take a lot of time to complete, especially in a multi-target scan scenario. The -n flag can be used to reduce the time required to complete a single or multi-target scan [Figure 1.15].
Syntax: sudo nmap –traceroute [Target]
Description: Trace the network path to a specified target. The traceroute command gives similar results as the tracepath command available on Linux and UNIX operating systems.
The Nmap Traceroute command provides information on the number of hops to reach a target and their IP addresses as well as the round trip time for each hop. The –traceroute command must be executed with root privileges [Figure 1.16].
NMAP Host List Output
Syntax: nmap -sL [Target]
Description: This Nmap flag will perform a reverse DNS lookup and generate a list for the specified IPs and their respective DNS names.
This method is useful when looking to find the DNS names for specific targets. The Nmap -sL flag will identify the IP addresses and associated DNS names of a target or multiple targets without sending any packets [Figure 1.17].
NMAP Alternate DNS Lookup
Syntax: nmap –system-dns [Target]
Description: Nmap –system-dns flag tells NMAP to use the target’s DNS resolver instead of its own method. The DNS resolver is always used for IPv6 scans.
Though rarely used, the Nmap Alternate DNS Lookup method can provide valuable details, particularly when troubleshooting DNS problems in a network [Figure 1.18].
NMAP Manual DNS Servers
Syntax: nmap –dns-servers [Server1,Server2,Server3,etc] [Target]
Description: Nmap –dns-servers flag is used to tell Nmap which DNS servers should be queried when performing a scan for name resolution. This method does not work on IPv6 scans.
By default, Nmap will query the local DNS servers for name resolution when performing a DNS lookup. By using the –dns-server flag, we manually tell Nmap which servers should be queried for name resolution [Figure 1.19].
NOTE: This method can be used to avoid your scan lookup being recorded in the DNS server log or if the target systems don’t have DNS service configured.
Congratulations on reaching the end of this guide! Take some time to read and practice the above Nmap discovery flags in your setup. If you don’t have one, you can practice your Nmap host discovery scans using the scanme.nmap.org domain.
Ready to dive deeper into Nmap? Have a look at the 11 Most Used NMAP Commands For Advanced Scanning. See you there!