Discovering live hosts with Nmap
We will leverage the protocols to discover the live hosts.
- ARP from Data-link Layer
- ICMP from Network Layer
- TCP or UDP from Transport Layer
Although TCP and UDP are transport layers, for network scanning purposes, a scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when
ICMP Echo is blocked.
# Approaches to discover hosts
When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
- When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is
rootor a user who belongs to sudoers.
- When a privileged user tries to scan targets outside the local network, Nmap uses ICMP
echorequests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP
- When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
Nmap, by default, uses a ping scan to find live hosts, then proceeds to scan live hosts only.
If you want to use Nmap to discover online hosts without port-scanning the live systems, we can issue:
# Types of ICMP Requests
We can make Nmap to use ICMP requests with these flags:
-PM- address mask