Nmap Host Discovery – POFTUT

Nmap Host Discovery

[rps-include post=6632]

Before start any port, script or version scan hosts should be discovered. Only discovered hosts will be scanned by port,service or version.

List Scan

List scan will do not send any packet to the targets and only show dns names of the targets by resolving them.

$ nmap -sL
  • We use -sL flag and the ip address of host/network.
Nmap scan report for sof02s18-in-f5.1e100.net ( 
Nmap done: 1 IP address (0 hosts up) scanned in 0.02 seconds
  • We get that dns name of the host is sof02s18-in-f5.1e100.net . As we did not send any package to the target is seems down.

No Port Scan / Ping Scan

We can simple use ping to scan our targets. This option only sends icmp packages and do not scan ports completely. This operation is consist of

  • ICMP Echo
  • TCP Sync 443
  • TCP Ack 80
  • ICMP Timestamp
$ nmap -sn
  • We provide only -sn option to make ping scan.
Starting Nmap 7.12 ( https://nmap.org ) at 2016-10-26 13:41 +03 
Nmap scan report for sof02s18-in-f5.1e100.net ( 
Host is up (0.21s latency). 
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
  • We see from out that our target is up

No Ping/Skip Discovery

Nmap have to ability to completely skip discovery stage. We know that the target hosts are up or we just want to full scan whether they are up or down.

$ nmap -Pn
  • We provide -Pn option to skip ping scan.

TCP Syn Ping

This option sends empty syn packets to the tcp/80 . Alternate ports can be specified with -P22

$ nmap -PS
  • Send empty tcp sync packet to the target with -PS option
LEARN MORE  DHCP Reservation For Windows Server 2012, Windows Server 2008 and Benefits

TCP Ack Ping

This is similar to the TCP Syn Ping but Ack is send to the tcp/80. As there is no active connection the target will send Rst back. So this means the host is up.

$ nmap -PA
  • -PA Send tcp packets with Ack flag set

UDP Ping

As you guess Udp version of the TCP Sync Ping. If no port is specified default port is 40125

$ nmap -PU
  • -PU enables Udp based discovery


Icmp is very useful protocol for pen-testing. Here is some of icmp scan techniques.

$ nmap -PE
  • Send icmp time stamp packet to the target with -PE

IP Protocol Ping

This is newer discovery technique. Nmap simple send different network layer protocol numbers to the target. Default protocols are icm, igmp, ip-in-ip.

$ nmap -P0
  • Send protocol types with -P0

ARP Ping

Arp ping is very stable and useful technique. It simple send arp packets to the connected lan. There is no ip or related upper layer packets. Detecting this type of discovery is very hard compared other discovery techniques. Ipv6 is supported with Neighbor Discovery.

$ nmap -PR
  • Send arping with -PR
$ nmap --disable-arp-ping
  • To disable arp ping use –disable-arp-ping


Normally during the host discovery path to the target is found with TTL magic. So to get traceroute we can use –traceroute  option for this.

$ nmap --trace-route

No Dns Resolution

Dns resolution is done by default. Dns resolution can be disabled with -n option.

$ nmap -n
  • -n will disable dns resolution
LEARN MORE  How To Flush DNS and Reset TCP/IP with ipconfig /flushdns Command In Windows

Dns Resolution For All Targets

Normally dns resolution is done for the up targets. If we want to dns resolution for all targets even down hosts use -R

$ nmap -R
  • Resolve all dns names of targets with -R

Specify Dns Servers

If we do not want to use our hosts name resolution we can set new dns servers for the scan.

$ nmap --dns-servers,
  • Set new dns servers with sequencially manner with –dns-servers

[rps-include post=6632]

Leave a Comment