Loading courses...
Please wait while we prepare your learning journey.
Please wait while we prepare your learning journey.
Duration: 1.5 hours (Estimated)
Welcome to the second episode of our comprehensive Nmap course! In this module, we'll dive deeper into host discovery techniques, explore different methods for identifying active systems on a network, and learn how to optimize our reconnaissance for different environments.
Building on the foundation from Episode 1, we'll get practical with hands-on examples that will prepare you for real-world network reconnaissance. By the end of this module, you'll be able to efficiently discover hosts on any network you're authorized to scan.
Before we can analyze services or identify vulnerabilities, we first need to know which systems are active on a network. Host discovery (sometimes called "ping scanning") is the process of identifying live hosts before performing more intensive port scans.
Effective host discovery:
Nmap offers various methods to determine whether hosts are alive. Let's explore these techniques and understand when to use each one.
The most basic method uses ICMP echo requests (ping):
sudo nmap -sn 10.129.2.0/24This command:
-sn optionStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 14:00 EDT
Nmap scan report for 10.129.2.4
Host is up (0.0023s latency).
Nmap scan report for 10.129.2.10
Host is up (0.0046s latency).
Nmap scan report for 10.129.2.11
Host is up (0.0032s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.51 secondsDuring penetration tests or network audits, you might receive a list of IP addresses to scan. Nmap can read targets from a file:
# Create a list of hosts
cat > hosts.lst
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
# Scan hosts from the list
sudo nmap -sn -iL hosts.lstThe -iL option tells Nmap to read targets from the specified file.
You can specify multiple individual IP addresses:
sudo nmap -sn 10.129.2.18 10.129.2.19 10.129.2.20Or use range notation for consecutive addresses:
sudo nmap -sn 10.129.2.18-20By default, when you run a ping scan (-sn), Nmap uses several techniques:
This combination increases the chance of detection even when certain packet types are blocked.
To see exactly what's happening during a scan, use the --packet-trace option:
sudo nmap 10.129.2.18 -sn --packet-traceStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 14:15 EDT
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up (0.023s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.05 secondsNotice that Nmap first tries an ARP request when the target is on the same subnet. This is faster and more reliable than ICMP or TCP probes.
To see why Nmap determined a host is up, use the --reason option:
sudo nmap 10.129.2.18 -sn --reasonStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 14:20 EDT
Nmap scan report for 10.129.2.18
Host is up, received arp-response (0.028s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.03 secondsThe "received arp-response" tells us that Nmap determined the host was up because it received an ARP reply.
If you specifically want to use ICMP echo requests (even on a local network), you can disable ARP pings:
sudo nmap 10.129.2.18 -sn -PE --packet-trace --disable-arp-pingStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 14:25 EDT
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 secondsOptions explained:
-PE: Use ICMP echo request--packet-trace: Show all packets sent and received--disable-arp-ping: Skip ARP discovery and use specified methods-Pn)Sometimes firewalls block ICMP and common probe packets. In these cases, you can skip the host discovery phase entirely:
sudo nmap 10.129.2.18 -PnThe -Pn option tells Nmap to assume the host is up and directly proceed to port scanning. This is useful when you know the host exists but it's not responding to ping.
-PS)You can use TCP SYN packets to specific ports for host discovery:
sudo nmap 10.129.2.0/24 -PS22,80,443This sends TCP SYN packets to ports 22, 80, and 443. If any port responds (even with a rejection), the host is marked as up.
-PA)Similar to SYN ping, but uses ACK packets:
sudo nmap 10.129.2.0/24 -PA22,80,443This can be effective against certain firewall configurations that block SYN packets.
-PU)Some hosts might have TCP entirely filtered but respond to UDP packets:
sudo nmap 10.129.2.0/24 -PU53,161This sends UDP packets to DNS (53) and SNMP (161) ports, which commonly respond even on locked-down systems.
-PY)For networks using the SCTP protocol (common in telecommunications):
sudo nmap 10.129.2.0/24 -PY132This sends SCTP INIT packets to port 132.
-PO)This technique uses various IP protocols to discover hosts:
sudo nmap 10.129.2.0/24 -PO1,2,4This sends IP packets with protocol numbers 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP).
Different network environments require different discovery approaches:
On a local network, ARP scanning is most efficient:
sudo nmap 192.168.1.0/24 -snNmap automatically uses ARP requests for hosts on the same subnet.
For remote networks, use a combination of ICMP and TCP methods:
sudo nmap 10.0.0.0/24 -sn -PE -PS22,80,443 -PA80,443This combines ICMP echo requests with TCP SYN and ACK probes to ports commonly open on servers.
For networks with strict firewalls:
sudo nmap 10.0.0.0/24 -Pn -p 80,443This skips host discovery entirely and scans specific ports on all addresses.
For scanning large networks efficiently:
sudo nmap 10.0.0.0/16 -sn --min-hostgroup 512 --min-rate 1000This optimizes for speed by increasing the host group size and packet rate.
Once we've identified active hosts, the next step is to determine which ports are open. Let's explore the basics of port scanning.
Nmap reports six possible states for scanned ports:
The most common scan type is the TCP SYN scan:
sudo nmap 10.129.2.28 --top-ports=10Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 15:36 EDT
Nmap scan report for 10.129.2.28
Host is up (0.021s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
139/tcp filtered netbios-ssn
443/tcp closed https
445/tcp filtered microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 1.44 secondsTo understand what's happening during a port scan, use the packet trace option:
sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-pingStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 15:39 EDT
SENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40 seq=0 win=0
Nmap scan report for 10.129.2.28
Host is up (0.014s latency).
PORT STATE SERVICE
21/tcp closed ftp
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.07 secondsIn this example:
When a port is shown as "filtered," it typically means a firewall is blocking access:
sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -PnStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 15:45 EDT
SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44 seq=4175236769 win=1024 <mss 1460>
SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44 seq=4175171232 win=1024 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up.
PORT STATE SERVICE
139/tcp filtered netbios-ssn
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 2.06 secondsNotice that Nmap sends multiple SYN packets but receives no response, indicating the port is filtered (likely dropped by a firewall).
Firewalls can handle unwanted traffic in two ways:
Here's an example of a rejected connection:
sudo nmap 10.129.2.28 -p 445 --packet-trace -n --disable-arp-ping -PnStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 15:55 EDT
SENT (0.0388s) TCP 10.10.14.2:52472 > 10.129.2.28:445 S ttl=49 id=21763 iplen=44 seq=1418633433 win=1024 <mss 1460>
RCVD (0.0487s) ICMP [10.129.2.28 > 10.10.14.2 Port 445 unreachable (type=3/code=3)] IP [ttl=64 id=20998 iplen=72]
Nmap scan report for 10.129.2.28
Host is up (0.0099s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.05 secondsHere, the firewall actively rejects the connection with an ICMP "port unreachable" message.
While TCP scanning is more common, UDP scanning is crucial for a complete security assessment. UDP scanning is performed with the -sU option:
sudo nmap 10.129.2.28 -F -sUStarting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 16:01 EDT
Nmap scan report for 10.129.2.28
Host is up (0.059s latency).
Not shown: 95 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered ipp
5353/udp open zeroconf
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 98.07 secondsUDP scanning is slower because:
Let's look at an open UDP port:
sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 137Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 16:15 EDT
SENT (0.0367s) UDP 10.10.14.2:55478 > 10.129.2.28:137 ttl=57 id=9122 iplen=78
RCVD (0.0398s) UDP 10.129.2.28:137 > 10.10.14.2:55478 ttl=64 id=13222 iplen=257
Nmap scan report for 10.129.2.28
Host is up (0.0031s latency).
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.04 secondsAnd a closed UDP port:
sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 100Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 16:25 EDT
SENT (0.0445s) UDP 10.10.14.2:63825 > 10.129.2.28:100 ttl=57 id=29925 iplen=28
RCVD (0.1498s) ICMP [10.129.2.28 > 10.10.14.2 Port unreachable (type=3/code=3)] IP [ttl=64 id=11903 iplen=56]
Nmap scan report for 10.129.2.28
Host is up (0.11s latency).
PORT STATE SERVICE
100/udp closed unknown
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.15 secondsIt's essential to save scan results for documentation, comparison, and reporting.
Nmap can save results in three main formats:
# Save in all formats with one command
sudo nmap 10.129.2.28 -p- -oA targetThis creates:
target.nmap (normal text format)target.gnmap (grepable format)target.xml (XML format).nmap)Contains the same output seen in the terminal.
# Nmap 7.94 scan initiated Tue Apr 14 12:14:53 2025 as: nmap -p- -oA target 10.129.2.28
Nmap scan report for 10.129.2.28
Host is up (0.053s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF
# Nmap done at Tue Apr 14 12:15:03 2025 -- 1 IP address (1 host up) scanned in 10.22 seconds.gnmap)Designed for easy parsing with tools like grep.
# Nmap 7.94 scan initiated Tue Apr 14 12:14:53 2025 as: nmap -p- -oA target 10.129.2.28
Host: 10.129.2.28 () Status: Up
Host: 10.129.2.28 () Ports: 22/open/tcp//ssh///, 25/open/tcp//smtp///, 80/open/tcp//http/// Ignored State: closed (65525)
# Nmap done at Tue Apr 14 12:14:53 2025 -- 1 IP address (1 host up) scanned in 10.22 seconds.xml)Provides structured data that can be processed by other tools.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.94 scan initiated Tue Apr 14 12:14:53 2025 as: nmap -p- -oA target 10.129.2.28 -->
<nmaprun scanner="nmap" args="nmap -p- -oA target 10.129.2.28" start="1713013200" startstr="Tue Apr 14 12:15:00 2025" version="7.94" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1713013200" endtime="1713013210"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="10.129.2.28" addrtype="ipv4"/>
<address addr="DE:AD:00:00:BE:EF" addrtype="mac" vendor="Intel Corporate"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="65525">
<extrareasons reason="resets" count="65525"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="smtp" method="table" conf="3"/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="http" method="table" conf="3"/></port>
</ports>
<times srtt="52614" rttvar="75640" to="355174"/>
</host>
<runstats><finished time="1713013210" timestr="Tue Apr 14 12:15:10 2025" elapsed="10.22" summary="Nmap done at Tue Apr 14 12:15:10 2025; 1 IP address (1 host up) scanned in 10.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>XML output can be converted to HTML for better readability using `xsltproc`:
xsltproc target.xml -o target.htmlThis creates a well-formatted HTML report that's easy to share with team members or clients.
Compare different host discovery techniques on your lab network:
# Standard ping scan
sudo nmap -sn 192.168.1.0/24 -oN ping_scan.txt
# TCP SYN ping to common ports
sudo nmap -PS22,80,443 -sn 192.168.1.0/24 -oN syn_ping.txt
# TCP ACK ping to common ports
sudo nmap -PA22,80,443 -sn 192.168.1.0/24 -oN ack_ping.txt
# UDP ping to common ports
sudo nmap -PU53,161 -sn 192.168.1.0/24 -oN udp_ping.txtCompare the results:
Identify hosts with firewalls by analyzing port states:
# Scan common ports
sudo nmap -p 21,22,23,25,80,443,445,3389 192.168.1.0/24 -oN firewall_test.txtAnalyze the results:
sudo nmap -p 21,22,23,25,80,443,445,3389 -A --reason 192.168.1.xIdentify UDP services on your network:
# Fast UDP scan of common ports
sudo nmap -sU --top-ports=20 192.168.1.0/24 -oN udp_services.txtAnalyze the results:
Perform scans at different times and compare the results:
# Morning scan
sudo nmap -sS 192.168.1.0/24 -oX morning.xml
# Evening scan
sudo nmap -sS 192.168.1.0/24 -oX evening.xml
# Compare using ndiff
ndiff morning.xml evening.xml > differences.txtAnalyze the differences:
Problem: Your scan doesn't find any hosts, even though you know they exist.
Solutions:
nmap -Pn 192.168.1.0/24nmap -PS22,80 -PA443 -PU161 -sn 192.168.1.0/24Problem: UDP scans take an extremely long time to complete.
Solutions:
nmap -sU --top-ports=20 192.168.1.0/24nmap -sU -T4 --top-ports=20 192.168.1.0/24nmap -sU --min-rate=1000 --top-ports=20 192.168.1.0/24Problem: You see "Note: Host seems down" or can't run certain scan types.
Solution:
Run Nmap with sudo or administrator privileges:
sudo nmap -sS 192.168.1.1Problem: You get different results when scanning the same target multiple times.
Solutions:
nmap -T4 192.168.1.0/24nmap --max-retries 3 192.168.1.0/24In the next episode, we'll explore:
Note: Use this video as a visual guide to complement the written material.
1. What is the primary purpose of host discovery in network scanning?
2. Which Nmap option is used to perform a ping scan, disabling port scanning?
3. What is the most efficient host discovery technique to use when scanning hosts on the same local network segment?
4. In situations where a target network might block ICMP requests, which Nmap option can be used to skip the host discovery phase and assume all specified targets are online?
5. When using the `-oA` option to save Nmap scan results, in which three formats are the results saved?