17 NMAP HOST DISCOVERY FLAGS AND HOW TO USE THEM

In this Nmap tutorial, we are going to learn everything about Nmap host discovery flags, how and when to use them [with examples]. I highly recommend you to open a terminal and follow up on this guide by practice.

If you don’t have Nmap installed on your machine yet, here is a step-by-step guide on how to install Nmap on Windows, macOS, Linux, and FreeBSD.

If you plan to practice this NMAP tutorial on your computer, I highly recommend you stay away from picking random targets on the Internet to scan – you can get in serious trouble unless you know what you’re doing. 

Instead, consider setting up your own Virtual Hacking Lab here for free in less than a hour.

I very much dislike long intros, so let’s get to work.

What Are NMAP Host Discovery Flags?

What should be the first thing to do to see if a host is alive in a network? That’s right, Ping it! And that’s precisely what Nmap will do by default when scanning a target. 

It makes perfect sense, right? As for why would Nmap try to scan e.g., 1000 ports x 10 hosts before even probing if those hosts are alive? 

Nmap will start a scan by attempting to send ICMP echo requests [Ping] to a host to see if the host replies. This is particularly relevant when scanning multiple IPs and we’re looking to filter out the offline hosts. 

But wait, we have a problem!

Often, the ICMP requests are blocked by firewalls for security reasons. So Nmap will consequently try to probe the 80 and 443 ports [used by web servers] which are usually open – even if the ICMP test fails. 

When scanning a hardened system, the default nmap + IP command can be quite ineffective.

To fix that, specific Nmap discovery flags can be used to find vulnerabilities in an apparently secured system. 

NOTE: Executing the Nmap commands in this guide with root privileges will invoke ARP and provide the MAC address of the target system as well.

Table 1.1 shows the complete list of Nmap discovery flags which we will explore in this post. 

Nmap Host Discovery MethodNmap Host Discovery Flag 
Skip Host Discovery-Pn
Ping Scan Only-sn
TCP ACK Ping-PA
TCP SYN Ping-PS
UDP Ping-PU
ICMP Echo Ping-PE
IP Protocol Ping-PO
ICMP Timestamp Ping-PP
ICMP Address Mask Ping-PM
SCTP INIT Ping-PY
ARP Ping-PR
Force Reverse DNS Resolution-R
Traceroute–traceroute
Disable Reverse DNS Resolution-n
Create a Host List-sL
Alternative DNS Lookup–system-dns
Manually Specify DNS Server–dns-servers
Table 1.1: NMAP Host Discovery Flags

NMAP Skip Host Discovery

Flag: -Pn

Syntax: nmap -Pn [Target]

Description: Host discovery will be disabled. All addresses will be marked as ‘up’ and scan times will increase.

By default, before scanning a device for open ports, Nmap will ping a target to see if it is up. As we already discussed, skipping offline targets saves time when performing a scan. 

In Figure 1.1 below I am scanning a Windows 10 machine in my network that I know is up and running. Pay attention to the Nmap scan result and the -Pn [no ping] flag suggesting.

Nmap Host Discovery [No Ping] - Source: nudesystems.com
Figure 1.1: Default NMAP host discovery scan [target not pingable]

In the above example, the target ports are not scanned as the host fails to respond to Nmap’s ICMP requests [Ping].

To bypass host discovery and proceed with port scanning directly we can use the -Pn flag [treat host as online] as seen in Figure 1.2 below.

Nmap Host Discovery [-Pn] - Source: nudesystems.com
Figure 1.2: Default NMAP scan with host discovery disabled [-Pn]

Even if the initial Nmap scan result showed “Host is down” [Figure 1.1], by running the Nmap scan with the -Pn [no ping] flag we were able to successfully scan 1000 common ports on the machine and find the 5357 TCP port open [Figure 1.2]. 

The -Pn flag can produce a list of open ports on a system that blocks ICMP [Ping] requests.

NMAP Ping Scan Only

Flag: -sn

Syntax: nmap -sn [Target]

Description: Perform a Ping scan only and disable port scan for the target machine.

Nmap’s Ping Scan Only method can be useful when we want to perform a quick scan of a network for hosts that are alive without scanning their ports [Figure 1.3]. 

Nmap Host Discovery [-sn] - Source: nudesystems.com
Figure 1.3: NMAP Ping Scan Only with no root privileges.

In Figure 1.3 we ask Nmap to scan all 254 addresses in the 172.16.121.0 subnet resulting in Nmap discovering two hosts that are up [172.16.121.2 and 172.16.121.129].

NOTE: Run Nmap with root privileges for additional ping functionality such as ARP to find the MAC addresses of discovered hosts as seen in Figure 1.4

Nmap Host Discovery [-sn with root] - Source: nudesystems.com
Figure 1.4: NMAP Ping Scan Only with root privileges on multiple targets.

NMAP TCP ACK Ping

Flag: -PA

Syntax: nmap -PA[Port1,Port2,Port3,etc] [Target]

Description: Perform a TCP ACK ping on a specified target. 

The Nmap TCP ACK Ping method is an alternative method used on systems that are configured to block ICMP echo requests. The TCP ACK ping scan is used to find whether or not a host is alive [Figure 1.5]. 

NOTE: ACK [ACKNOWLEDGE] and is part of the TCP “three-way handshake.” When a  machine receives a SYN package, a SYN-ACK [ACKNOWLEDGE] is sent back to the initial device. Once the SYN-ACK package is received, the initial device will send back an ACK package to establish a TCP connection. 

Nmap Host Discovery [-PA] - Source: nudesystems.com
Figure 1.5: NMAP Host Discovery with TCP ACK Ping flag.

Nmap uses TCP ACK Ping to identify hosts that block SYN packets or ICMP echo requests. Nmap’s TCP ACK packets are most likely blocked by modern firewalls, which log connection states because it consists of dummy packets containing non-existent connections.

Here’s an example of how Nmap TCP ACK Ping syntax for port 21, 22, and 80 should look like [comma-separated with no spaces]:

nmap -PA21,22,80

NMAP TCP SYN Ping

Flag: -PS

Syntax: nmap -PS[Port1,Port2,Port3,etc] [Target]

Description: Perform a TCP ACK ping on a specified target. 

NOTE: SYN [SYNCRONIZE] is part of the TCP “three-way handshake. When a  machine receives a SYN package, a SYN-ACK [ACKNOWLEDGE] is sent back to the initial device. Once the SYN-ACK package is received, the initial device will send back an ACK package to establish a TCP connection. 

Nmap TCP SYN Ping sends SYN packets to a target host and waits for a response. Similar to the TCP ACK Ping, the TCP SYN Ping method aims to discover hosts that block ICMP requests. [Figure 1.6].

Nmap Host Discovery [-PS] - Source: nudesystems.com
Figure 1.6: NMAP Host Discovery with TCP SYN Ping flag.

Here’s an example of how Nmap TCP SYN Ping syntax for port 21, 22, and 80 should look like [comma-separated with no spaces]:

nmap -PS21,22,80

NMAP UDP Ping

Flag: -PU 

Syntax: nmap -PU[Port1,Port2,Port3,etc] [Target]

Description: Perform a UDP ping on a specified target. 

The Nmap UDP Ping discovery method sends UDP packets and looks for a response from a target machine. 

Similar to the previous Nmap TCP SYN and TCP ACK methods, modern firewalls will most likely block UDP Ping requests. However, poorly-secured systems that only filter TCP connections may process UDP pings [Figure 1.7]. 

Nmap Host Discovery [-PU] - Source: nudesystems.com
Figure 1.7: NMAP Host Discovery with TCP SYN Ping flag.

NMAP ICMP Echo Ping

Flag: -PE 

Syntax: nmap -PE [Target]

Description: Perform an ICMP echo ping on a specified target. 

The Nmap ICMP Echo Ping will send standard ICMP requests to a target host looking for replies. 

Most Internet hosts are configured to drop ICMP packages for security reasons. Therefore, the ICMP Echo Ping method is suitable for local networks where ICMP packages are transmitted between hosts with fewer restrictions [Figure 1.8].

Nmap Host Discovery [-PE] - Source: nudesystems.com
Figure 1.8: NMAP Host Discovery with UDP Ping flag.

NMAP IP Protocol Ping

Flag: -PO 

Syntax: nmap -PO[Protocol1,Protocol2,Protocol3,etc] [Target]

Description: Perform an IP protocol ping on a specified target. 

As the name implies, the Nmap IP Protocol Ping sends pings to a target using the specified protocol(s) in the command-line syntax.

When no protocols are specified, Nmap will use by default the ICMP, IGMP, and IP-in-IP protocols [Figure 1.9].

Nmap Host Discovery [-PO] - Source: nudesystems.com
Figure 1.9: NMAP Host Discovery with IP Protocol Ping flag.

NOTE: A comprehensive list of IP protocols to use can be found on the IANA website HERE.

NMAP ICMP Timestamp Ping

Flag: -PP 

Syntax: nmap -PP [Target]

Description: Perform an ICMP timestamp ping on a specified target. 

The Nmap ICMP Timestamp Ping is quite useful when discovering targets protected by firewalls [block ICMP requests] and looking for improperly secured targets that might still process ICMP timestamp requests [Figure 1.10]. 

Nmap Host Discovery [PP] - Source: nudesystems.com
Figure 1.10: NMAP Host Discovery with ICMP Timestamp Ping flag.

NMAP ICMP Address Mask Ping

Flag: -PM 

Syntax: nmap -PM [Target]

Description: Perform an ICMP Address Mask Ping on a specified target. 

Nmap ICMP Address Mask Ping uses an alternative ICMP register to ping a specified target. As the previous Nmap discovery methods presented above, the ICMP Address Mask Ping is used to bypass firewalls configured to block standard ICMP echo requests on poorly configured systems [Figure 1.11].

Nmap Host Discovery [-PM] - Source: nudesystems.com
Figure 1.11: NMAP Host Discovery with ICMP Address Mask Ping flag.

NMAP SCTP INIT Ping

Flag: -PY

Syntax: nmap -PY[Port1,Port1,Port3,etc] [Target]

Description: Perform a SCTP INIT Ping on a specified target. SCTP is commonly used in IP telephony.

Nmap SCTP INIT Ping is a method that sends SCTP [Stream Control Transmission Protocol] packets and looking for INIT ACK or aborts responses from a specified target [Figure 1.12]. 

Nmap Host Discovery [-PY] - Source: nudesystems.com
Figure 1.12: NMAP Host Discover with SCTP INIT Ping flag.

NMAP ARP Ping

Flag: -PR

Syntax: nmap -PR [Target]

Description: Perform an ARP Ping to find the MAC address on a specified target IP.

As mentioned at the beginning of this post, ARP is automatically invoked by Nmap for every scan run with root privileges. 

NOTE: ARP [Address Resolution Protocol] is a protocol used to dynamically map an IP address to a MAC address in a LAN network. Simply said, ARP shows you the MAC address associated with an IP.

The benefit of using the -PR flag instead of leaving Nmap to invoke ARP automatically is that targets in a local network [even if behind a firewall] can’t block ARP requests while other types of Nmap scans can be blocked by firewalls resulting in negative results.

The NMAP ARP Ping method is usually faster than other methods covered in this post, though only useful if scanning targets in a local subnet [directly reachable via layer 2 ethernet or wifi].

Nmap Host Discovery [-PR] - Source: nudesystems.com
Figure 1.13: NMAP Host Discovery with ARP Ping flag [multi-target].

Force Reverse DNS Resolution

Flag: -R

Syntax: nmap -R [Target]

Description: Perform a forced reverse DNS resolution to specified target IP(s).

When conducting a Force Reverse DNS Resolution scan on an IP or block of IPs, Nmap attempts to reverse DNS details for each IP address – by default

When using the -R flag on a target IP address, even if the target seems offline or blocking Nmap probes, a forced reverse DNS scan can expose helpful details about the target machine.

Take note that reverse DNS scan takes time especially when applying the -R on a multi-target scan scenario [Figure 1.14]. 

Nmap Host Discovery [-R] - Source: nudesystems.com
Figure 1.14: NMAP Host Discovery with Force Reverse DNS Resolution flag.

NMAP Disable Reverse DNS Resolution

Flag: -n

Syntax: nmap -n [Target]

Description: This Nmap command is used to disable the DNS lookup in order to increase the performance of a scan.

As seen in Figure 1.14 above, Nmap reverse DNS resolution can take a lot of time to complete, especially in a multi-target scan scenario. The -n flag can be used to reduce the time required to complete a single or multi-target scan [Figure 1.15].

Nmap Host Discovery [-n] - Source: nudesystems.com
Figure 1.15: NMAP Host Discovery with Disable Reverse DNS Resolution flag [multi-target].

NMAP Traceroute

Flag: –traceroute

Syntax: sudo nmap –traceroute [Target]

Description: Trace the network path to a specified target. The traceroute command gives similar results as the tracepath command available on Linux and UNIX operating systems.

The Nmap Traceroute command provides information on the number of hops to reach a target and their IP addresses as well as the round trip time for each hop. The –traceroute command must be executed with root privileges [Figure 1.16].

Nmap Host Discovery [--traceroute] - Source: nudesystems.com
Figure 1.16: NMAP Host Discovery with Traceroute flag.

NMAP Host List Output

Flag: -sL

Syntax: nmap -sL [Target]

Description: This Nmap flag will perform a reverse DNS lookup and generate a list for the specified IPs and their respective DNS names.

This method is useful when looking to find the DNS names for specific targets. The Nmap -sL flag will identify the IP addresses and associated DNS names of a target or multiple targets without sending any packets [Figure 1.17].

Nmap Host Discovery [-sL] - Source: nudesystems.com
Figure 1.17: NMAP Host Discovery with Host List Output flag [multi-target].

NMAP Alternate DNS Lookup

Flag: –system-dns

Syntax: nmap –system-dns [Target]

Description: Nmap –system-dns flag tells NMAP to use the target’s DNS resolver instead of its own method. The DNS resolver is always used for IPv6 scans.

Though rarely used, the Nmap Alternate DNS Lookup method can provide valuable details, particularly when troubleshooting DNS problems in a network [Figure 1.18]. 

Nmap Host Discovery [--system-dns] - Source: nudesystems.com
Figure 1.18: NMAP Host Discovery with Alternate DNS Lookup flag.

NMAP Manual DNS Servers

Flag: –dns-servers

Syntax: nmap –dns-servers [Server1,Server2,Server3,etc] [Target]

Description: Nmap –dns-servers flag is used to tell Nmap which DNS servers should be queried when performing a scan for name resolution. This method does not work on IPv6 scans.

By default, Nmap will query the local DNS servers for name resolution when performing a DNS lookup. By using the –dns-server flag, we manually tell Nmap which servers should be queried for name resolution [Figure 1.19]. 

NOTE: This method can be used to avoid your scan lookup being recorded in the DNS server log or if the target systems don’t have DNS service configured. 

Nmap Host Discovery [--dns-servers] - Source: nudesystems.com
Figure 1.20: NMAP Host Discovery with Manually Specified DNS Server flag.

Congratulations on reaching the end of this guide! Take some time to read and practice the above Nmap discovery flags in your setup. If you don’t have one, you can practice your Nmap host discovery scans using the scanme.nmap.org domain.

Ready to advance your Nmap skills? Continue with: 11 Most Used NMAP Commands For Advanced Scanning post. 

Found this guide useful?

Say thank you by sending me some crypto at the addresses below:

  • Bitcoin
  • Ethereum
  • Monero
Scan to Donate Bitcoin to bc1qytp4akadp5lash9pd6rvnrjlnm8920fza5zchc

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0xB8109313e704a2B0aB1a70d67baB66a2Fd3b590d

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Monero to 47tC9drbgyaerFMu8s9XqsaAuY4K6rgC9UDM3yHhbyWP9pUNwdAH7kEMuDbFMEgiY3JgYgQipwZoWSLSZAsUvkkjQmHLj6r

Donate Monero to this address

Scan the QR code or copy the address below into your wallet to send some Monero