Open in app

Sign in

Write

Sign in

Exploring Host Discovery: Techniques and Options for Network Scanning with Nmap

0x5uryax1 - Surya
8 min readMay 5, 2024

--

Hello Hackers,

I am Surya, a really passionate cybersecurity researcher. I love hacking into machines and share what I learned. I originally set out to create a comprehensive guide to Nmap, but I realized that the scope of Nmap is so extensive that it can’t be covered in a single blog post. So, instead of trying to cram everything into one article, I’m going to break down the key aspects of Nmap into a series of detailed blogs.

This first blog focuses on advanced host discovery using Nmap, providing a deep dive into the techniques that will help you effectively identify devices on a network.

Host Discovery

One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and usually unnecessary.

In this step, we scan through a list of 255 possible IP addresses and narrow it down to only those that are currently active or ‘alive.’ This allows you to focus on the relevant devices without having to work through every possible address.

How does Nmap determine which hosts are active on a given network?

By Default, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. For the ICMP echo request if the target host return the ICMP echo reply then Nmap identifies that host as active/alive. Similarly, for TCP SYN packet, if the host reply with SYN-ACK, it consider it as alive.

By default, Nmap does host discovery and then performs a port scan against each host it determines is online.

The following options control host discovery:

`-sL` : List Scan

The -sL option in Nmap is known as the "List Scan." This scan type does not actually check if hosts are alive or active. Instead, it simply lists all the IP addresses within the specified range.

For example, if you specify 10.10.10.0/24, it will return a list of IP addresses from 10.10.10.0 to 10.10.10.255. Although it doesn't perform host discovery, it does conduct reverse DNS resolution for the specified range, providing additional information like hostname mappings where available. This option is particularly useful when you want to get a comprehensive list of all possible IP addresses within a given range without actively probing or scanning them.

nmap -sL 192.168.29.0/24 | grep -oP '\d{1,3}(\.\d{1,3}){3}' > IPs.txt

I will not go deep into the grep command but I will make a separate blog on that as well.

So the first nmap command gives the corresponding hostname/dns record and possible IPs in that range then, grep command filter that result into the List of IPs only and save those Ips list in IPs.txt file.

Final output will be nothing because the above command save the result in the IPs.txt.

If you want to save the list of IPs in the file as well as show them in output then you can use the below command.

nmap -sL 192.168.29.0/24 | grep -oP '\d{1,3}(\.\d{1,3}){3}' | tee IPs.txt

`-sn` : No Port Scan

By default, nmap performs the port scan after the host discovery but when you specifies this options the nmap does not perform the port scan. It returns the list of active hosts on the network along with the dns record. It is also called “ping scan”. It is more intrusive than the List Scan. It allows light reconnaissance of a target network without attracting much attention.

nmap -sn 192.168.29.0/24 | grep -oP '\d{1,3}(\.\d{1,3}){3}' | tee activehosts.txt

The above command will return active hosts on the network and saves that in the activehosts.txt file.

`-Pn` : No Ping

The -Pn option in Nmap is used to disable host discovery, assuming that all hosts are alive. By default, Nmap performs host discovery (like "ping" scans) to determine if a host is active before proceeding with additional scans, such as port scanning. With -Pn, Nmap skips this initial step and directly scans the specified target or targets, assuming they are all reachable.

It can save time, if you already know that the hosts are alive and want to skip the host discovery step. If a target network blocks ICMP (like ping) or other types of host discovery, -Pn allows you to proceed with scanning without waiting for a host discovery response. Since -Pn skips host discovery, Nmap will scan all specified targets, which could lead to longer scan times if many targets are offline or non-responsive.

It is better to use with the known active hosts.

nmap 192.168.29.1 -Pn -oN initialscan

The above command will skip the host discovery which saves a little bit time because it is only one IP, if there were more IPs that was active were specied then it could save a lot more time because it skips the host discovery part and does the default scans directly and saves the result in the initialscan file.

`-PS<port list>` : TCP SYN Ping

The -PS option in Nmap is used to perform a "TCP SYN Ping," a method of host discovery that sends TCP SYN packets to specified ports to check if hosts are active. Nmap sends a TCP SYN packet to a specified port or a range of ports. If the target host is listening on any of those ports, it usually responds with a TCP SYN-ACK, indicating that the host is alive.

You can specify which ports to send SYN packets to. If no ports are specified, Nmap uses common ports like 80 (HTTP) and 443 (HTTPS) by default. Mostly -PS is used when the ICMP is blocked or filtered. It allows you to specify which ports to use for host discovery, making it flexible for various network environments.

nmap 192.168.29.1/24 -PS80,443 -oA SYSPingResult

The above command conducts a TCP SYN ping on ports 80 and 443 for all active hosts in the network and save the result on SYSPingResult.

`-PA<port list>` : TCP ACK Ping

The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls.

Many administrators configure routers and other simple firewalls to block incoming SYN packets except for those destined for public services like the company web site or mail server.

nmap 192.168.1.0/24 -PA80,443 -oN ACKPingResult

The above command conducts a TCP ACK ping on ports 80 and 443 for all active hosts in the network and save the result on ACKPingResult.

`-PU<port list>` : UDP Ping

This type of host discovery sends UDP packets to specified ports to check if hosts are active on a network. Unlike TCP-based discovery, which relies on connection-oriented responses, UDP-based discovery can be useful when traditional TCP-based methods are blocked or when you want to detect hosts running UDP-based services.

Nmap sends UDP packets to specified ports to determine if a host is active. If the host responds with an ICMP “port unreachable” message, it typically indicates that the host is alive but the port is closed. If a host is alive, it usually responds to a UDP ping with some form of ICMP error or, in some cases, with a UDP-based response from the service running on that port.

This can be useful in networks where UDP-based services are prevalent, such as DNS, SNMP, or DHCP.

nmap -PU53,123 192.168.1.0/24 -oN UDPPingResult

This command checks for responses to determine which hosts in the specified subnet are active and save the result in UDPPingResult.

`-PY` : SCTP INIT Ping

The -PY option in Nmap is used for "SCTP INIT Ping," a type of host discovery that sends SCTP INIT packets to specified ports to check if hosts are active. SCTP (Stream Control Transmission Protocol) is a transport layer protocol similar to TCP but with unique features, often used in telecommunications and signaling systems.

Nmap sends SCTP INIT packets to specified ports. These packets initiate an SCTP connection and are designed to establish a handshake similar to TCP SYN packets. You can define which ports to send SCTP INIT packets to. If no specific ports are provided, Nmap uses a default set of SCTP ports. If the target host is alive and responds to SCTP INIT with an SCTP INIT-ACK, Nmap marks the host as active.

SCTP is less commonly used than TCP and UDP, but it’s prevalent in certain industries like telecommunications. Using -PY can help identify hosts that might be running SCTP-based services.

nmap -PY7,5000 192.168.1.0/24 -oN SCTPPingResult

This command sends SCTP INIT packets to ports 7 and 5000 for each host in the 192.168.1.0/24 subnet, checking for SCTP-based responses to determine which hosts are active and save the result in SCTPPingResult file.

`-PE; -PP; -PM` : ICMP Ping Types

The -PE option sends ICMP Echo Requests, similar to the common "ping" command. This is a straightforward method to check if a host is alive. If the target host replies with an ICMP Echo Reply, Nmap marks the host as active.

nmap -PE 192.168.1.0/24 -oN AliveHost

The -PP option sends ICMP Timestamp Requests, which ask the target for its current timestamp. This is another way to determine if a host is alive without relying solely on ICMP Echo Requests.

nmap -PP 192.168.1.0/24 -oN TimeStampHostResult

The -PM option sends ICMP Address Mask Requests, which request the subnet mask from the target host. Although this method can also indicate if a host is alive, it's less commonly used for host discovery in modern networks.

nmap -PM 192.168.1.0/24 -oN MaskRequestAliveHostResult

`--disable-arp-ping` : No ARP or ND Ping

The --disable-arp-ping option in Nmap disables ARP (Address Resolution Protocol) pings during host discovery. ARP is used in local networks to map IP addresses to MAC addresses, and ARP pinging is a common method Nmap uses to determine if a host on a local network is active.

Nmap normally does ARP or IPv6 Neighbor Discovery (ND) discovery of locally connected ethernet hosts, even if other host discovery options such as -Pn or -PE are used. In local networks, ARP pings are often the most reliable way to detect active hosts because ARP packets are typically not filtered by firewalls.

If you prefer using other methods like TCP SYN, ICMP Echo Requests, or UDP pings, you can use --disable-arp-ping to skip ARP-based discovery.

`--traceroute` : Trace path to host

When this options is used the output result contains a table,that maps the path between the source and the destination by sending packets with incrementally increasing Time to Live (TTL) values. Each TTL increment represents an additional network hop.

Traceroute is mostly used to identify network bottlenecks, routing issues, or potential security blocks along the path,

To visualize the structure of a network and understand the routing from one point to another,

To identify potential firewall or security device locations based on response behaviors.

nmap --traceroute 192.168.1.1 -oN withRoutesResult

This command initiates a traceroute to the specified IP address (192.168.1.1) and provides a detailed view of the network path, including the intermediate routers and the number of hops and saves the result in withRoutesResult file.

Thank you all, I hope you liked it.

Follow me for More Cybersecurity Stuffs

Linkedin: SuryaMathur

Nmap
Host Discovery
Advanced Enumeration
Techniques
Detailed

--

--

0x5uryax1 - Surya
0x5uryax1 - Surya

Written by 0x5uryax1 - Surya

22 Followers
24 Following

I love cracking machines and I'm willing to learn as much as I can and contribute to my community. Love from Surya 🖤

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams