Nmap Ping Sweep: How to Scan Networks for Live Hosts

Nmap Ping Sweep How to Scan Networks for Live Hosts

An Nmap ping sweep is an essential skill to have in your hacking toolkit. It allows you to quickly identify live hosts on a network that you can target and is an important step to perform in any penetration test.

This article will teach you how to perform a ping sweep using the powerful network mapping tool Nmap. You will also learn how to save this output to a file of your choice and discover advanced Nmap options you can use with your ping sweep to optimize your scans. Finally, you will see ways to bypass the firewalls and filters security professionals use to defend their networks from network scanning to ensure your scans are successful.

Let’s get started learning this essential skill!

A Brief Nmap Review

Nmap is a powerful open-source network scanning tool that is used by security professionals and network administrators to perform network audits. It can scan networks for live hosts, detect services running, fingerprint operating systems, and identify vulnerabilities. The tool can also be extended through the Nmap Scripting Engine, making it a versatile option in your hacking toolkit. It comes installed by default on Kali Linux, or you can install Nmap on your own Linux operating system.

This article won’t get into all the nuances of Nmap - for a detailed guide, read How to Use Nmap to Scan a Network: A Step-by-Step Guide. Instead, you will learn how to master the Nmap ping sweep command, discover advanced options that let you customize Nmap’s behavior, and see how to bypass firewalls and filters designed to block your scanning efforts.

Nmap Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.

Basic Nmap Ping Sweep

The first skill to master when learning Nmap is performing a basic ping sweep. A ping sweep is used to identify live hosts on a network by sending Internet Control Message Protocol (ICMP) echo request (ping) packets to a range of IP addresses. If a host responds to the ping, it is considered to be “live.”  Performing a ping sweep is an important step in the host discovery process and is fundamental to performing a comprehensive penetration test

To perform a Nmap ping sweep, use the command line option -sn followed by the target(s) or network you want to scan in CIDR notation. For example, the following command scans the 10.0.200.0/24 IP address range. It will send an ICMP echo request to every IP address in the network from 10.0.200.1 to 10.0.200.255.

nmap -sn 10.0.200.0/24

Basic Nmap Ping Sweep

Let’s investigate what this output means.

Understanding the Output

Understanding the Output

In the output of this command, you can see several things:

  1. The Nmap command that was used to perform the ping sweep.
  2. The time at which the Nmap scan was started.
  3. The results of the scan. These are appended to the output for each new host discovered and include the hostname, IP address, and latency (how quickly the host responded).
  4. A results summary with the number of IP addresses scanned, hosts that responded, and how long the scan took to complete.

Saving the Output

By default, Nmap only shows you the output of its commands in the terminal window. You can change this default behavior and save the output to a file using one of the following command line options:

  • To save results to a regular text file, use the -oN option.
  • To save results in XML format, use the -oX option.
  • To save results in a grepable format that you scan search through, use the -oG option.
  • To save results to all of the above formats, use the -oA option.

For example, to save the output of the following command to a regular text file, run the following command:

nmap -sn 10.0.200.0/24 -oN ping-sweep-results.txt

Saving the Output

The output saved in the file will be similar to this:

The output saved in the file will be similar to this

Advanced Options

Nmap offers advanced command line options that you can combine with the basic ping sweep command to gain greater control over how Nmap behaves. These advanced options allow you to customize how Nmap behaves by adjusting how often it sends packets, what packets it sends, and how it replies to packets returned by target machines. Here are some of the advanced options you can use.

Timing Templates

Nmap allows you to configure how often your scan probes a target with network packets and how long it waits for a response. These options are predefined in timing templates that Nmap lets you choose before you start your scan. Timing templates range from 0 (a slow and polite scan) to 5 (a fast and aggressive scan).

Add the -T option to your command line to use a timing template, followed by the template number. The timing templates available include:

  • Paranoid (-T0): Slowest scanning speed. Designed to minimize the impact on the target network and avoid triggering any alerts.
  • Sneaky (-T1): Slightly faster. Still designed for stealth and low impact.
  • Polite (-T2): The default timing template. It balances scan speed with network courtesy and is suitable for most scanning situations.
  • Normal (-T3): Faster than polite and often used for standard network scans.
  • Aggressive (-T4): Slightly faster than normal and suitable for scans where you don’t expect to disrupt the network (e.g., when not scanning many ports or hosts).
  • Insane (-T5): The fastest and most aggressive timing template that rapidly sends probes that may cause network congestion or trigger alerts. Use with caution.

The example below uses the -T4 option to perform an aggressive Nmap ping sweep on the target network. 

Timing Templates

Disabling DNS Resolution

Nmap allows you to disable Domain Name System (DNS) resolution when you are scanning by adding the -n option. If you set this option, Nmap will not attempt to resolve hostnames to IP addresses during the scan. This can speed up your scan and is most useful when DNS resolution is not required, when the DNS servers are slow or unreliable, when scanning larger networks with multiple hops to traverse, or when scanning many hosts.

The command below uses the -n option to disable DNS resolution when performing a ping sweep using Nmap. Notice how all hosts are now just IP addresses with no hostnames.

Disabling DNS Resolution

Randomizing Target Order

You can use Nmap's --randomize-hosts option to make your scans less predictable and harder to detect by security solutions. Adding this option to your command line instructs Nmap to randomize the order to scan the specified targets. This makes it more difficult for intrusion detection systems (IDS) or firewalls to detect scanning activity when monitoring network traffic.

The command below uses the --randomize-hosts option to randomize what hosts Nmap will send a ping probe to when performing a ping sweep. Notice the order in which hosts are scanned is no longer sequential. It is random.

Randomizing Target Order

These are just a few of the advanced options you can combine with the ping sweep command. To discover more, check out Nmap Cheat Sheet: All the Commands, Flags & Switches.

Firewalls and Filters

Security professionals who defend networks protect them by implementing firewalls and filters that are designed to make network scanning difficult. They block ICMP echo requests (pings), block external IP addresses that send a lot of inbound network traffic, and detect IP addresses that send packets crafted to query every port on a machine. 

Firewalls and filters can make your life difficult as a penetration tester looking to discover live hosts on a network. That said, Nmap has a few command line options that you can use to bypass these security solutions and be more successful in your network scanning efforts. Let’s look at a few.

Targeting Common Ports

Network firewalls and IDS will often block ICMP echo requests or any other network protocol that is not expected to be used on the network. For instance, if a company does not use a mail server internally, it will likely block all SMTP traffic (port 587) to minimize its attack surface. 

Most companies need to provide their employees with access to the Internet. This requires ports 80 (HTTP), 443 (HTTPS), and 53 (DNS) to be open. As such, firewalls and IDS will likely allow this traffic into the target network, and you can use this to your advantage to perform host discovery.

You can configure Nmap to only send probe packets to ports 80, 443, and 53 by using the -PS and -PU options, followed by the port you want to send packets to. These options must be used in combination with a Nmap ACK scan (-sA). The following command performs a ping sweep by targeting only ports 80, 443, and 53 of hosts on the target network. This helps you bypass firewalls and filters by blending in with expected network traffic.

sudo nmap -sA -PS80, 443 -PU53 10.0.200.0/24

Targeting Common Ports

The -PS option specifies TCP port numbers (HTTP and HTTPS), while the -PU option is used for UDP port numbers (DNS). You must be a Sudo user to run UDP scans with Nmap.

Adding a Delay

Some firewalls and IDS solutions will temporarily block IP addresses that generate a lot of network traffic or send network packets to several hosts in a programmatic order. You previously learned how to randomize your target order. You can also add a delay to your Nmap scan to prevent security solutions from automatically blocking you. 

To add a delay to your Nmap scan, add the --scan-delay option to your command, followed by the number of seconds you want to wait before sending network packets. The following command adds a one second delay to your ping sweep. Notice that it takes longer to perform the ping sweep scan when you add a delay.

nmap --scan-delay 1s -sn 10.0.200.0/24

Adding a Delay

Adjusting the Length of Network Packets

Another technique to bypass firewalls and filters is adjusting the length of your probing network packets. Firewalls and IDS solutions will trigger alerts if a packet has certain characteristics or a known malicious signature. 

Nmap allows you to append random data to your network packets to evade packet filtering by using the --data-length option, followed by the length of random data you want to append. The following command adds 50 bytes of random data to packets being sent during a ping sweep. 

sudo nmap --data-length 50 -sn 10.0.200.0/24

Adjusting the Length of Network Packets

You must be a Sudo user to add bytes to your network scan as it requires interaction with raw sockets.

Conclusion

This article showed you how to perform a Nmap ping sweep. You will find this essential hacking skill useful on any red team engagement or penetration test you perform where you need to discover hosts to target. 

You also learned how to save the output of Nmap scans, use advanced options to make your network scans more efficient, and some common ways to bypass firewalls and filters so your scans can be successful. 

If you want to learn more about Nmap and sharpen your hacking skills, check out one of the courses below, available to StationX Members:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam Goss

    Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>