Nmap and Network Scanning

4.

4.1.

Purpose of Host Discovery

4.1.1.

Identifying Live Hosts

4.1.1.1.

Network Reconnaissance

4.1.1.2.

Reducing Scan Scope

4.1.2.

Network Mapping

4.1.2.1.

Topology Discovery

4.1.2.2.

Host Enumeration

4.2.

Disabling Port Scans (-sn)

4.2.1.

4.2.2.

When to Use Host Discovery Only

4.2.2.1.

Large Network Surveys

4.2.2.2.

Initial Reconnaissance

4.3.

Host Discovery Techniques

4.3.1.

ICMP Echo Request (-PE)

4.3.1.1.

Traditional Ping

4.3.1.2.

Firewall Considerations

4.3.2.

ICMP Timestamp Request (-PP)

4.3.2.1.

Alternative ICMP Method

4.3.2.2.

Bypassing Echo Blocks

4.3.3.

ICMP Address Mask Request (-PM)

4.3.3.1.

Legacy ICMP Method

4.3.3.2.

Limited Modern Use

4.3.4.

TCP SYN Ping (-PS)

4.3.4.1.

TCP-Based Discovery

4.3.4.2.

Specifying Ports for SYN Ping

4.3.4.2.1.

4.3.4.2.2.

Custom Port Selection

4.3.4.3.

Firewall Evasion

4.3.5.

TCP ACK Ping (-PA)

4.3.5.1.

Stateful Firewall Bypass

4.3.5.2.

Specifying Ports for ACK Ping

4.3.5.2.1.

Common Open Ports

4.3.5.2.2.

Service-Specific Ports

4.3.6.

4.3.6.1.

UDP-Based Discovery

4.3.6.2.

Specifying Ports for UDP Ping

4.3.6.2.1.

Closed Port Strategy

4.3.6.2.2.

Service Port Targeting

4.3.7.

SCTP INIT Ping (-PY)

4.3.7.1.

SCTP Protocol Discovery

4.3.7.2.

Specialized Use Cases

4.3.8.

4.3.8.1.

Local Network Discovery

4.3.8.2.

ARP vs IP-based Discovery

4.3.8.2.1.

Layer 2 vs Layer 3

4.3.8.2.2.

Local Subnet Efficiency

4.3.9.

4.3.9.1.

ICMPv6 Neighbor Discovery

4.3.9.2.

IPv6 Multicast Ping

4.4.

Disabling Host Discovery (-Pn)

4.4.1.

Assume All Hosts Are Up

4.4.2.

Rationale for Skipping Discovery

4.4.2.1.

Heavily Filtered Networks

4.4.2.2.

Known Live Hosts

4.4.3.

Risks and Use Cases

4.4.3.1.

Increased Scan Time

4.4.3.2.

False Positive Reduction

4.5.

Custom Discovery Combinations

4.5.1.

Multiple Discovery Methods

4.5.2.

Discovery Method Selection

4.5.3.

Performance Optimization

Previous

3. Nmap Fundamentals

Go to top

Next

5. Core Port Scanning Techniques