Are you looking for a thorough understanding of Nmap host discovery? Nmap is a powerful tool that scans and analyzes your network. Developed with versatility and flexibility, Nmap can perform various scans, including host discovery.
We will explain Nmap and what it is. We will dive deep into host discovery and show you eight commands you can reference anytime you need them.
Learning how to use Nmap for host discovery is an important skill. Discovering hosts in various penetration testing certifications or engagements is usually the first step before you can move forward in the attack chain. This can also benefit other areas of cyber security, such as intrusion detection or incident response.
What Is Nmap?
As an ethical hacker or penetration tester, Nmap is one of your most important tools. Nmap is often called the Swiss army knife of networking tools due to its extensive suite of functionalities that can be applied to various network and system security aspects.
Gordon "Fydor" Lyon created this free and open-source tool in 1997, and security professionals and ethical hackers worldwide still widely use it today.
In a nutshell, Nmap uses raw IP packets to discover hosts, open ports, running services with their versions, and even the operating system on a network. It accomplishes this by sending specially crafted packets to the target host(s) and then analyzing the responses.
Nmap Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.
What Is Host Discovery?
Nmap's "host discovery" lets you discover what devices are connected to a network. This is an important first step when attacking a network or during security testing because it lets you see what's on the network and determine which devices are live.
Nmap discovers hosts using techniques such as ICMP (internet control message protocol), echo requests (ping), TCP (transmission control protocol), and UDP (user datagram protocol) packets sent to multiple ports. The host's response, or absence thereof, helps determine its state. Nmap's host discovery techniques can bypass certain firewalls and intrusion detection systems.
What Is TCP?
TCP, also known as the transmission control protocol, is a connection-oriented protocol most devices use. It is considered reliable and ensures that all data sent will be received. A TCP connection uses a three-way handshake consisting of the SYN (synchronize), SYN-ACK (synchronize-acknowledge), and ACK (acknowledge) flags.
In simple terms, between a client and a server, it does the following: The client sends an SYN flag to the server saying, “I want to connect to you,” and the server responds with an SYN-ACK flag saying, “I heard you say that you want to connect to me, Is that correct?” and finally, the client responds with an ACK flag saying “Yes, please make the connection.” A connection is then made between the client and the server.
What Is UDP?
UDP, also known as the user datagram protocol, is a connectionless protocol and is considered unreliable as there is no error checking or data recovery, but it is incredibly fast. UDP is often used for streaming media, Voice over IP (VoIP), and Domain Name System (DNS) lookups. It is a good choice when speed is the priority over data delivery.
In a typical interaction, UDP works between a client and a server in the following way, the client sends a request to the server asking for data, and the server then sends all the data in separate packets without any acknowledgment or confirmation of delivery.
ICMP Arp Scan / Ping Scan (-PR or -sn)
nmap -PR -sn <target>
The ARP scan in Nmap asks for the target(s) IP address's MAC address. If it gets a reply, it is assumed to be up. This way of finding out if a host is up or down is very accurate, but it only works on local networks. You can't ARP ping a host over the internet with it. Nmap always uses this setting for local targets.
For the ping scan, Nmap doesn't do a port scan. It just does a ping check. This is also called "no port scan." A ping scan sends a "ping," an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request to the target. Any response means the host is up. This check looks for live targets, not open ports or services.
Compared to more detailed scanning methods, both the -PR and -sn choices are faster for host discovery. Whether you are working on a local network (with -PR) or scanning remote networks (with -sn), these will help you find live hosts quickly, saving you time.
The mix of these two choices gives you options. The ARP Ping is stable on local networks, while the Ping Scan works on local and remote networks.
Even though these options are robust, they have their own drawbacks. The ARP Ping only works on local networks, and the Ping Scan can be easily blocked by firewalls set to ignore or block ICMP and certain TCP packets, leading to inaccurate findings.
Both are meant to find hosts, not give detailed information. They won't inform you about open ports or active services on the listed hosts.
List Scan (-sL)
nmap -sL <target>
The list scan is a basic Nmap host discovery scan that lists the IP addresses in a range or subnet. It can also resolve hostnames to their corresponding IP address. It does not send packets to the target hosts to probe for open ports.
The Nmap list option enables quick enumeration and network mapping. Listing all IP addresses associated with a specific range or domain makes obtaining a high-level overview of a network possible. This is particularly useful in larger networks where monitoring each host can be difficult.
The list scan doesn't actively probe the targets for open ports nor detect whether the hosts are online. It merely displays the IP addresses and performs a reverse DNS lookup.
TCP Connect Scan (-sT)
nmap -sT <target>
With this option, Nmap instructs your system to establish a full TCP connection with the target system on every port within the specified range. It connects with the target using the connect() system function. This is the same system call used by web browsers and most network-enabled applications to establish a connection.
If the port is accessible, the operating system completes the TCP three-way handshake, and the port is considered open. If the port is closed, an RST packet is returned, and the port is deemed closed.
After multiple retransmissions with no response, the port is marked as filtered.
This scan works on all TCP/IP stacks regardless of operating system and doesn't require administrator or root privileges. It uses the systems connect() function to establish connections; the port is open if successful.
Most servers log these connections using the three-way TCP handshake, making them easier to detect. TCP Connect scan is slower than SYN scan (-sS) due to the need to establish and close a TCP connection for each port.
TCP SYN Scan (Stealth Scan) (-sS)
sudo nmap -sS <target> -p <port>
SYN scan is another host discovery scan that must be run as a root user, commonly called half-open or stealth scanning. Due to its speed and less invasiveness, this scanning method is often among the most used. The SYN scan starts the three-way handshake TCP uses to create a connection, but it isn't completed by it.
It responds to the server's SYN-ACK packet with an RST message instead of an ACK packet to complete the handshake (as would occur in a full connection), or it doesn't reply.
Nmap flags the port as open if the server replies to the initial SYN packet with an SYN-ACK message. The port is considered closed if the server replies with an RST packet. The port is flagged as filtered if no answer is obtained after numerous retransmissions.
Compared to a full connect (-sT) scan, it is less likely to be logged by systems or firewalls since it does not finish the TCP three-way handshake. SYN scans are typically quicker and more effective than full connect scans.
SYN scans often require root privileges or administrative access in many systems due to the creation of raw packets. Some firewalls block incoming SYN packets, potentially affecting the reliability of the scan.
Check our “The Top 20 Nmap Commands You Must Know” article for a deep dive into different Nmap commands.
UDP Scan (-sU)
sudo nmap -sU <target>
In a UDP scan that must be run with root privileges, a UDP message is sent to each target port. The packet will be empty for most ports unless Nmap has specific content that it thinks could get an answer from the service on that port.
If a port unreachable error is sent back, the port is considered closed. The service should send a reply if the port is open. But many services don't send replies to empty packets. If Nmap doesn't get an answer, the port is marked as "open|filtered," which means that it could be open or that a firewall or filter has blocked the scan.
One big benefit of the UDP scan is finding open UDP ports, which other scans can't do. If only TCP scans are done, important UDP services could be missed.
The speed of UDP scans can be much slower than that of TCP scans. Because UDP is a connectionless system, when a packet is sent to an open port, it doesn't reply. Nmap has to wait and assume that the port may be open if it doesn't get an answer.
Also, closed ports send an ICMP port unreachable message when they can't be reached. Many of these messages can flood the network and use up many resources, slowing the scan even more.
TCP ACK Scan (-sA)
sudo nmap -sA <target> -p <port>
The Nmap ACK scan maps out firewall rule sets to determine what packet filtering is in place. This scan type must be run with root privileges.
The ACK scan in Nmap sends a TCP message to a certain port on the target server with only the ACK flag set. If Nmap receives an RST packet, the port is said to be "unfiltered," which means the packet got to the port without any issues.
If there is no answer or an ICMP unreachable error is received, the port is identified as "filtered," indicating that the packet was blocked before it reached the port.
The fact that the ACK scan can help you map out firewall rules is a big plus. This can be very helpful when doing penetration testing, where knowing how the target is protected is important.
Compared to other types of scans, the ACK scan doesn't give you as much information. It can only tell if a port is blocked or not. It can't tell if a port is open or closed or what services are running.
TCP Null Scan (-sN)
nmap -sN <target>
The Nmap null scan, which must be run as a root user, is part of a group called "stealth scans" or "decoy scans." These scans are often used to get around security filters and IDS/IPS systems. The other two are the Xmas scan and the FIN scan.
Unlike normal TCP transmission, Nmap sends a message without TCP flags. The TCP RFC says that when a packet is sent to a blocked port, an RST message should be sent back to reset the connection.
The RFC doesn't give clear directions on using open ports, so most systems ignore the packet and don't send an answer. In a Null scan, no answer means that the port is open.
The Null scan can often get around basic firewall rules and intrusion detection systems not set up to catch these unusual TCP packets. This makes it a more sneaky scanning method than the SYN or Connect scans, which are more common.
The biggest problem with a Null scan is that it can give you results that aren't always correct. Not every system follows the TCP RFC rules exactly. Especially systems built on Windows, which tend to reply with an RST packet whether the port is open or closed. This can make it hard to tell from the Null scan alone what the real state of the port is.
Specify IP Protocol (-PO)
sudo nmap -PO<protocol number> <target>
Another Nmap host discovery scan type is the IP protocol ping scan. This scan must be run with root privileges and will check which hosts are up by sending IP packets using different protocols. It can send ICMP pings, IGMP pings, or even IP-in-IP encapsulation. You can list multiple protocols by separating the numbers with commas, as in -PO1,2,4.
If you don't use -sn or a specific scan type, Nmap will keep scanning ports even after it finds that the hosts are up. The -sn option can find hosts without checking ports.
sudo nmap -sn -PO1,2,4 <target>
You can choose different protocols for host discovery with this choice. This can be especially helpful when ICMP is blocked, a standard security practice in many networks. This option can improve your chances of finding live hosts using different protocols.
This option can get around some ICMP blocks, but it doesn't always work. Some networks may have firewalls or other security measures that stop or screen all incoming packets except those needed for the network to work. Searching for live hosts with the -PO option might not always work.
See our popular Nmap article “Nmap Cheat Sheet 2023: All the Commands, Flags & Switches.”
As we've discussed, mastering Nmap for host discovery is an invaluable skill. Gaining an in-depth understanding of the various scan types, how Nmap performs them, and their unique benefits and drawbacks can greatly enhance your effectiveness in cybersecurity.
You now have eight different commands you can add to your arsenal when performing host discovery.
Check out the courses below to learn more about Nmap and enhance your knowledge.