Introduction
When we scan a network system with Nmap, the default method used by Nmap is an ICMP echo request method. Using ICMP requests a lot time can be saved as they are often blocked by firewalls.
 |
| Nmap Host Discovery Options |
However, these default options aren't useful and effective when scanning secured and properly configured networks. Thus, host discovery options come in action to trick network systems and get the desired results.
Scan without Ping
When we scan a network with nmap, first a default ping scan is done by Nmap to check whether the host is alive or not. Sometimes firewall blocks the ping requests and it becomes necessary to not ping such systems. A nmap scan without ping can be performed like this :
nmap -PN 10.0.2.4
 |
| Nmap no ping scan |
The -PN argument disables the default ping scan on the systems.
Only Ping
When you want to perform a quick ping test to check whether the hosts are alive or not you can use the ping only option. This can be done like this :
nmap -sP 10.0.2.4
Nmap ping only scan
TCP SYN PING
This argument sends TCP SYN packets to the systems and waits for the systems to responds. This option is useful when the system is configured to block or reject standard ICMP requests. This can be done like this :
nmap -PS 10.0.2.4
TCP ACK PING
This argument sends the TCP ACK packets to the network systems and waits for response. This option is useful when the standard ICMP requests are blocked by the system. This can be done like this :
nmap -PA 10.0.2.4
UDP PING SCAN
This argument will send UDP packets instead of standard TCP packets. Poorly configured networks can be tricked using this method. This can be done using :
nmap -PU 10.0.2.4
 |
| Nmap UDP Scan |
SCTP INIT PING
This option is used to locate hosts with the Stream Control Transmission Protocol (SCTP). A SCTP ping can be done using :
nmap -PY 10.0.2.4
ICMP Echo Ping
This option perform an Internet Control Message Protocol (ICMP) scan on the target network. Well configured networks does not responds to ICMP requests. This can be done using :
nmap -PE 10.0.2.4
ICMP Timestamp Ping
Many well configured networks do not reply to ICMP requests, however some bad configured networks may still reply to ICMP timestamp requests. A ICMP timestamp scan can be done using :
nmap -PP 10.0.2.4
ICMP Address Mask Ping
This non-standard ICMP request may trick a firewall to get the desired output. A address mask ping scan can be done using :
nmap -PM 10.0.2.4
ARP Ping
The ARP ping scan is must faster and accurate than other conventional ICMP ping methods. Local networks and hosts can be bypassed even with firewalls using this method. An ARP ping scan can be performed using :
nmap -PR 10.0.2.4
 |
| Nmap ARP Ping Scan |
