Before start any port, script or version scan hosts should be discovered. Only discovered hosts will be scanned by port,service or version.
List scan will do not send any packet to the targets and only show dns names of the targets by resolving them.
$ nmap -sL 18.104.22.168
- We use -sL flag and the ip address of host/network.
Nmap scan report for sof02s18-in-f5.1e100.net (22.214.171.124) Nmap done: 1 IP address (0 hosts up) scanned in 0.02 seconds
- We get that dns name of the host is sof02s18-in-f5.1e100.net . As we did not send any package to the target is seems down.
No Port Scan / Ping Scan
We can simple use ping to scan our targets. This option only sends icmp packages and do not scan ports completely. This operation is consist of
- ICMP Echo
- TCP Sync 443
- TCP Ack 80
- ICMP Timestamp
$ nmap -sn 126.96.36.199
- We provide only -sn option to make ping scan.
Starting Nmap 7.12 ( https://nmap.org ) at 2016-10-26 13:41 +03 Nmap scan report for sof02s18-in-f5.1e100.net (188.8.131.52) Host is up (0.21s latency). Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
- We see from out that our target is up
No Ping/Skip Discovery
Nmap have to ability to completely skip discovery stage. We know that the target hosts are up or we just want to full scan whether they are up or down.
$ nmap -Pn 184.108.40.206
- We provide -Pn option to skip ping scan.
TCP Syn Ping
This option sends empty syn packets to the tcp/80 . Alternate ports can be specified with -P22
$ nmap -PS 220.127.116.11
- Send empty tcp sync packet to the target with -PS option
TCP Ack Ping
This is similar to the TCP Syn Ping but Ack is send to the tcp/80. As there is no active connection the target will send Rst back. So this means the host is up.
$ nmap -PA 18.104.22.168
- -PA Send tcp packets with Ack flag set
As you guess Udp version of the TCP Sync Ping. If no port is specified default port is 40125
$ nmap -PU 22.214.171.124
- -PU enables Udp based discovery
Icmp is very useful protocol for pen-testing. Here is some of icmp scan techniques.
$ nmap -PE 126.96.36.199
- Send icmp time stamp packet to the target with -PE
IP Protocol Ping
This is newer discovery technique. Nmap simple send different network layer protocol numbers to the target. Default protocols are icm, igmp, ip-in-ip.
$ nmap -P0 188.8.131.52
- Send protocol types with -P0
Arp ping is very stable and useful technique. It simple send arp packets to the connected lan. There is no ip or related upper layer packets. Detecting this type of discovery is very hard compared other discovery techniques. Ipv6 is supported with Neighbor Discovery.
$ nmap -PR 10.0.0.24
- Send arping with -PR
$ nmap --disable-arp-ping 184.108.40.206
- To disable arp ping use –disable-arp-ping
Normally during the host discovery path to the target is found with TTL magic. So to get traceroute we can use –traceroute option for this.
$ nmap --trace-route 10.0.0.24
No Dns Resolution
Dns resolution is done by default. Dns resolution can be disabled with -n option.
$ nmap -n 10.0.0.24
- -n will disable dns resolution
Dns Resolution For All Targets
Normally dns resolution is done for the up targets. If we want to dns resolution for all targets even down hosts use -R
$ nmap -R 10.0.0.24
- Resolve all dns names of targets with -R
Specify Dns Servers
If we do not want to use our hosts name resolution we can set new dns servers for the scan.
$ nmap --dns-servers 220.127.116.11,18.104.22.168 10.0.0.24
- Set new dns servers with sequencially manner with –dns-servers