> For the complete documentation index, see [llms.txt](https://security.navidnaf.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://security.navidnaf.com/ollivanders/nmap/host-discovery.md). # Host Discovery ``` nmap -sn [IP] nmap -sn 192.168.1.0/24 nmap -iL [Filename] //Scans target from a file ``` In penetration testing, **host discovery** is the process of identifying which hosts are active on a network. Nmap provides various techniques to accomplish this, each suited to different situations based on factors such as **network characteristics**, **stealth requirements**, and the specific **goals of the pentest**. Some commonly used host discovery techniques include: * **ICMP Echo Request (Ping)**: Sends a ping to check if a host is responding. * **TCP SYN Scan**: Sends a TCP SYN packet to a specific port to see if the host is listening. * **ARP Requests**: Used for discovering hosts on a local network (LAN). * **TCP ACK Scan**: Checks if a host is filtering packets without revealing open ports. The choice of technique depends on the level of stealth required and the type of network being scanned (internal vs. external). Each method provides different levels of effectiveness based on firewalls, filters, and network configurations. ## Techniques | **Technique** | **Packet Sent** | **Expected Packet for a Live Host** | **Pros (When to Use)** | **Cons (When Not to Use)** | | ----------------------------------- | ----------------- | -------------------------------------- | --------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | | **Ping Sweeps (ICMP Echo Request)** | ICMP Echo Request | ICMP Echo Reply | Quick and commonly used; ideal for networks that allow ICMP traffic | Often blocked by firewalls; does not work on Windows by default | | **ARP Scanning** | ARP Request | ARP Reply | Effective on local networks (LANs); accurate results in the same broadcast domain | Only works within a local network, not for external or routed networks | | **TCP SYN Ping (Half-Open Scan)** | TCP SYN | TCP SYN-ACK | Stealthier than ICMP; useful in bypassing ICMP restrictions | May be blocked by firewalls or Intrusion Detection Systems (IDS) | | **UDP Ping** | UDP Packet | No response (or ICMP Port Unreachable) | Useful for discovering hosts that don't respond to ICMP or TCP | Can be slow due to lack of acknowledgment; prone to packet loss | | **TCP ACK Ping** | TCP ACK | TCP RST | Effective in bypassing firewalls that block SYN or ICMP pings | Less stealthy; may trigger firewall alerts | | **SYN-ACK Ping** | TCP SYN-ACK | TCP RST | Good for detecting firewalled or closed ports; slightly stealthier than SYN scans | Can be blocked by firewalls; not useful if all ports are filtered | ## Pingsweep/Ping Scan **Pingsweep** is a network scanning technique used to identify live hosts (e.g., computers or servers) within a specific IP address range. It works by sending **ICMP Echo Request (Type 8, Code 0)** messages to multiple IP addresses. If a host is reachable, it responds with an **ICMP Echo Reply (Type 0, Code 0)** message, indicating that the host is active. If no response is received, it could mean the host is offline, unreachable due to network issues, or blocking ICMP traffic via a firewall. Pingsweeps help assess the availability of devices on a network but require careful interpretation of results. One common method is a **ping sweep** (or **ping scan**) where **Nmap** sends ICMP echo requests to multiple IP addresses to check which hosts respond, indicating they are active. Additionally, Nmap can use other techniques like **ARP requests**and **TCP/UDP scans** to find hosts that might block ICMP. ``` nmap -sn 192.168.1.0/24 ``` Using Nmap performs a **ping scan** (or ping sweep) without scanning any ports. This means it checks which hosts are up on a network without probing for open ports or services. ## Pingsweep with Sudo vs Without Sudo When you run `nmap -sn` with or without sudo, the difference lies in the types of probes Nmap is able to send, particularly regarding privileged network operations. ### without Sudo (non-privileged mode) In this mode, Nmap operates with **user-level permissions** and lacks access to raw packet sockets. As a result - Nmap cannot send raw ICMP echo requests (ping) due to insufficient permissions. It falls back to alternative methods like: * **TCP SYN ping:** Sends TCP SYN packets to port 80 or other common ports to check for responses (SYN-ACK or RST), indicating the host is up. * **ARP scan (on local networks):** If you're scanning within the **same local subnet**, Nmap uses ARP requests to identify live hosts since ARP doesn't require root privileges on most systems. In a local subnet, ARP requests (Address Resolution Protocol) take priority to discover hosts since it directly maps IP addresses to MAC addresses. Nmap uses ARP for host discovery on local networks since it's faster and more reliable than IP-based methods. These alternative methods can still detect live hosts but may result in less accurate or partial results compared to privileged scans, especially across different network segments (e.g., non-local networks). ### with Sudo (privileged mode) When sudo is used, Nmap has root-level access to raw sockets, enabling it to use more accurate and direct host discovery techniques. * **ICMP Echo Request (ping):** Nmap can now send raw ICMP echo requests (Type 8, Code 0) directly to targets, which is the most reliable method to check for host availability. * **ICMP Timestamp Request/Reply:** Nmap may also send timestamp requests to detect live hosts that may not respond to standard ping. * **UDP pings:** In some cases, Nmap can send UDP-based probes to specific ports for additional host discovery. * **TCP ACK ping:** In privileged mode, Nmap can send TCP ACK packets to a range of ports to detect hosts based on their response. ### Summary of Difference **Raw Socket Access:** sudo enables raw socket access, allowing Nmap to use native ICMP pings, which are blocked in non-privileged mode. **Scan Accuracy:** Scans without sudo might miss hosts that don't respond to the fallback TCP SYN or ARP pings, especially if the target hosts have firewalls blocking certain ports or protocols. **Host Detection:** With sudo, Nmap can leverage a broader set of network protocols, leading to more thorough and accurate host discovery, especially on non-local networks. In conclusion, running `nmap -sn` **with sudo** enhances the effectiveness of the scan by allowing direct access to *low-level packet generation and analysis*. ## Other Misc. Techniques ``` nmap -sn [IP] --send-ip ``` * *With this flag*: Nmap sends raw IP packets or raw Ethernet frames. This is useful for bypassing local network restrictions or manipulating packet headers for low-level scanning. * *Without this flag*: Nmap uses the default methods to send packets, which could involve system-level APIs, possibly limited by the network stack. ``` nmap -PS [IP] ....... (1) nmap -sn -PS [IP] ....(2) ``` 1. SYN Ping: Sends TCP SYN packets to discover hosts. By default, it sends SYN packets to port 80. This technique can be used for host discovery without a full port scan. 2. This command performs host discovery using TCP SYN ping. It does not perform a full port scan (`-sn` disables port scanning). Ports are specified for SYN ping, e.g., `-PS22` for SSH. ``` nmap -PA [IP] ``` ACK Ping: Sends TCP ACK packets to specified ports for host discovery. Useful in networks where SYN packets are blocked. Some firewalls or systems might block ACK packets, making it ineffective in those cases. ``` nmap -PE [IP] ``` ICMP Echo: Sends ICMP Echo Requests (similar to `ping`) to discover active hosts. Use this when ICMP is not blocked, as it can be faster for discovering live hosts. ``` nmap -sn -v -T4 [IP] ``` Performs host discovery (`-sn`), with verbose output (`-v`), and sets the timing to level 4 (`-T4`), which speeds up the scan without causing excessive network load. Use this for quick network sweeps. ``` nmap -sn -PS21,22,25,80,443,445,3389,8080 -PU137,138 -T4 [IP] ``` This command does host discovery by sending SYN pings to specific ports (21, 22, etc.) and UDP pings to ports 137 and 138. It's useful when both TCP and UDP services are present on a network. ## Glossary **Subnet**: A subnet (short for subnetwork) is a logical subdivision of an IP network. It divides a larger network into smaller, manageable segments, improving efficiency and security. **CIDR (Classless Inter-Domain Routing)**: CIDR is a method for allocating IP addresses more flexibly. It uses a suffix (like `/24`) to indicate how many bits of the IP address are used for the network portion, replacing the traditional class-based system. **Netmask**: A netmask is used to define which portion of an IP address identifies the network and which part identifies the host. It is often written like `255.255.255.0` to represent how many bits are allocated for the network. **ARP Request (Address Resolution Protocol)**: An ARP request is a message sent by a device **to find the MAC address** associated with an IP address on the local network, enabling communication between devices. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security.navidnaf.com/ollivanders/nmap/host-discovery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.