We will leverage the protocols to discover the live hosts.
Although TCP and UDP are transport layers, for network scanning purposes, a scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when ICMP Echo is blocked.
Approaches to discover hosts
When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
- When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is
rootor a user who belongs to sudoers. - When a privileged user tries to scan targets outside the local network, Nmap uses icmp
echorequests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMPtimestamprequest. - When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
Nmap, by default, uses a ping scan to find live hosts, then proceeds to scan live hosts only.
If you want to use Nmap to discover online hosts without port-scanning the live systems, we can issue:
sh
nmap -sn TARGETSTypes of ICMP Requests
We can make Nmap to use ICMP requests with these flags:
-PP- timestamp-PM- address mask-PE- echo