Nmap – Host Discovery

Host Discovery

The following options control host discovery:

  • -sL (List Scan)
  • -sn (No port scan)
  • -Pn (No ping)
  • -PS (TCP SYN Ping)
  • -PA (TCP ACK Ping)
  • -PU (UDP Ping)
  • -PY (SCTP INIT Ping)
  • -PE; -PP; -PM (ICMP Ping Types)
  • -PO (IP Protocol Ping)

Default Combination

If no host discovery options are given, Nmap sends:

  • an ICMP echo request,
  • a TCP SYN packet to port 443,
  • a TCP ACK packet to port 80, and
  • an ICMP timestamp request.
  • These defaults are equivalent to the -PE -PS443 -PA80 -PP options.

(For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.)


-sn (No port scan)

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”.

The default host discovery done with -sn consists of:

  • an ICMP Echo Request,
  • TCP SYN to port 443,
  • TCP ACK to port 80, and
  • an ICMP Timestamp Request

When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target.

When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless –send-ip was specified.

					# nmap -sn

-Pn (No ping)

  • Assume all hosts are UP, scan every single IP.
  • Another frequent reason given for using -Pn is that the tester has a list of machines that are already known to be up. So the user sees no point in wasting time with the host discovery stage.

This option skips the host discovery stage altogether. Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified.

For machines on a local ethernet network, ARP scanning will still be performed (unless –disable-arp-ping or –send-ip is specified) because Nmap needs MAC addresses to further scan target hosts.

					# nmap -Pn


-PS<port list> (TCP SYN Ping)

  • Default port 80
  • Alternate port can be specified as a parameter (e.g. -PS22-25,80,113,1050,35000)
  • OPEN port, the target responds with a SYN/ACK packet indicating that a connection can be established. Afterwards, Nmap tears down the connection by responding with a RST packet.
  • CLOSED port, the target responds with a RST packet.
  • Nmap does not care whether the port is OPEN or CLOSED. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive.

Note: During a TCP SYN ping scan, Nmap uses the SYN/ACK and RST responses to determine if the host is responding. It is important to note that there are firewalls configured to drop RST packets. In this case, the TCP SYN ping scan will fail unless we specify an OPEN port.

					# nmap -sn -PS scanme.nmap.org
# nmap -sn -PS22-25 scanme.nmap.org

-PA<port list> (TCP ACK Ping)

  • Default port 80.
  • Online host, target should respond with a RST packet.
  • Offline host, no response from target.

The TCP ACK ping is quite similar to the SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process.

The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls.

					# nmap -sn -PA scanme.nmap.org
# nmap -sn -PA22-25 scanme.nmap.org

-PU<port list> (UDP Ping)

  • Default port 40,125.
    • A highly uncommon port is used by default because sending to OPEN ports is often undesirable for this particular scan type.
  • Upon hitting a CLOSED port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return.
    • This signifies to Nmap that the machine is up and available.
  • Many other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host. A lack of response is also interpreted this way.
  • If an OPEN port is reached, most services simply ignore the empty packet and fail to return any response. This is why the default probe port is 40,125, which is highly unlikely to be in use.

The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP.

					# nmap -sn -PU scanme.nmap.org

-PE, -PP, -PM (ICMP Ping Types)

  • -PE (ICMP Echo Request), expecting a type 0 (echo reply) in return from available hosts.
    • Many hosts and firewalls now block these packets, rather than responding. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet.
  • -PP and -PM (timestamp request and address mask request), a timestamp reply (ICMP code 14) or address mask reply (code 18) discloses that the host is available.
					# nmap -sn -PE -PP -PM scanme.nmap.org

-PR (ARP Scan)

ARP is the default scan type when scanning ethernet hosts that Nmap detects are on a local ethernet network. This includes traditional wired ethernet as well as 802.11 wireless networks.

Even if different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. If you absolutely don’t want to do an ARP scan, specify –send-ip.


Best host discovery probe combinations

Probes Hosts Found Probe Combination
1 probe 62.47% -PE
2 probes 77.61% -PE -PA80
3 probes 83.83% -PE -PA80 -PS443
4 probes 88.64% -PE -PA80 -PS443 -PP
5 probes 91.12% -PE -PA80 -PS443 -PP -PU40125 --source-port 53
6 probes 92.42% -PE -PS80 -PS443 -PP -PU40125 -PA3389 --source-port 53
7 probes 93.10% -PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 --source-port 53
8 probes 93.69% -PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 -PU161 --source-port 53

TCP probe and port selection

The TCP ping options are some of the most powerful discovery techniques in Nmap. An administrator may be able to get away with blocking ICMP echo request packets without affecting most users, but a server absolutely must respond to SYN packets sent to the public services it provides. Meanwhile, ACK packets often get through non-stateful firewalls. I would recommend using both of SYN and ACK probes, using lists of ports based on any knowledge you might have of the target networks as well as more generally popular ports.

Most valuable TCP probe ports:

  • 80/http
  • 443/https
  • 21/ftp
  • 23/telnet
  • 25/smtp
  • 53/domain
  • 22/ssh
  • 110/pop3

UDP port selection

In selecting UDP ports, remember that an open port is unlikely to respond to the probes. Unfiltered ports are desired. To avoid open ports, you might consider excluding common UDP services like DNS (port 53) and SNMP (161). I would recommend choosing at least port 53 and an arbitrarily selected high-numbered port such as 37,452.


Scanning the 50,000 addresses took just over 42 minutes, and 3,927 hosts were detected.

					/* Generating 50K IPs */
# nmap -n -sL -iR 50000 | awk '/^Host / {print $2}' | sort -n > 50K_IPs

/* Ping scanning */
# nmap -n -sn -T4 -iL 50K_IPs -oA 50KHosts_DefaultPing

To determine the effects of using a wider range of ping techniques, the same 50K hosts were rescanned with 14 probes per port rather than the default of four. Nmap was able to detect 785 (20%) more hosts. It took about 147 minutes, which is almost 3.5 times as long.

					# nmap -n -sn -PE -PP -PS21,22,23,25,80,113,443,31339 -PA80,113,443,10042 \
  -T4 --source-port 53 -iL 50K_IPs -oA 50KHosts_ExtendedPing

Leave a Reply

Related Post