NMAP [host discovery] scan Command Parameters

From http://nmap.org

Host discovery

Host discovery is also called Ping scanning, but it is far more than sending simple ICMP echo request packets using a widely known ping tool. You can use list scan (-sL) Or by disabling Ping (-P0) Skip the ping step. You can also use multiple ports to combine tpc syn/ack, UDP, and ICMP. These probes aim to get a response to show whether an IP address is active (
Host or network device ).

If no host discovery option is provided, NMAP sends a tcp ack packet to port 80 and an ICMP echo request to each target machine. One exception is ARP scanning for any target machine on the LAN. For non-privileged Unix shell users, useconnect()System calls send a SYN Packet instead of ack.-PA -PEThe options have the same effect. During LAN scanning, this host discovery is generally enough, but for security audit, we recommend that you perform more comprehensive detection.

-P*Option (used to select the ping type) can be used in combination. You can use different TCP port/flag and ICMP codes to send many detection packets to increase the chance of penetrating the firewall with strict defense. Note that even if you specify other
-P*Option, ARP detection (-PRIs the default behavior for the target on the LAN, because it is always faster and more effective.

The following options control host discovery.

-sL(List scan)

A list scan is a form of degraded host discovery. It only lists each host on the specified network and does not send any packets to the target host. By default, NMAP still performs Reverse Domain name resolution on the host to obtain their names. The useful information provided by simple host names is often surprising. For example,
fw.chi.playboy.comIs the firewall of the Playboy Chicago office. NMAP also reports the total number of IP addresses. List scan ensures that you have the correct target IP address. If the host domain name is unexpected, it is worth further checks to prevent incorrectly scanning the networks of other organizations.

Since the list of target hosts is only printed, the options for operating system detection or ping scanning, such as some other advanced functions such as port scanning, are no longer available. If you want to disable the ping scan and still execute such advanced functions, read more about
-P0Options.

-sP(Ping scan)

This option tells NMAPOnlyPerform Ping scanning (host discovery) and then print the hosts that respond to the scan. No further tests (such as port scanning or operating system testing) were conducted ). This is more active than list scanning and is often used for the same purpose as list scanning. It can get some information about the target network without special attention. For attackers, understanding how many hosts are running is more valuable than a list of IP addresses and host names provided by list scans.

System Administrators often like this option. It can easily determine how many machines are running on the network or monitor whether the server is running normally. It is often called a blanket Ping, which is more reliable than a ping broadcast address because many hosts do not respond to broadcast requests.

-sPBy default, an ICMP echo request and a TCP packet are sent to port 80. If the user is not authorized to execute the request, a SYN packet is sent (connect()System Call) to port 80 of the target machine. When a privileged user scans a target machine on a LAN, an ARP request (-PR), Unless--send-ip.
-sPOptions can be-P0).-P*Options are used in combination to achieve greater flexibility. Once any probe type and port options are used, the default probe (ACK and Response Request) will be overwritten. Advanced options are recommended when a well-defended firewall is located between the source host running NMAP and the target network. Otherwise, some hosts cannot be detected when the firewall captures and discards the detection package or response package.

-P0(No Ping)

This option completely skips the Nmap discovery phase. Generally, NMAP uses it to identify the running machine during high-intensity scanning. By default, NMAP only performs high-intensity detection on running hosts, such as port scanning, Version Detection, or operating system detection. Use-P0Disabling host discovery will enable NMAPEveryThe specified destination IP address for the required scan. Therefore, if you specify a Class B target address space (/16) on the command line, all 65,536 IP addresses will be scanned.
-P0The second character is the number 0 rather than the letter O. Similar to list scanning, you can skip normal host discovery, but not print a target list. Instead, you can continue to execute the required functions, as if every IP address is active.

-PS [portlist](Tcp syn Ping)

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.nmap.h) File, but different ports can also be specified as options. You can even specify a comma-separated port list (for example
-PS22，23，25，80，113，1050，35000In this case, each port is concurrently scanned.

The SYN flag tells the other party that you are trying to establish a connection. Usually the target port is closed, and an RST (reset) packet will be sent back. If the port is opened, the target performs step 2 of TCP three-step handshake to respond to a SYN/ack TCP packet. The machine running NMAP will then kill the established connection and send an rst instead of an ACK packet. Otherwise, a full connection will be established. The RST packet is returned by the Nmap machine instead of the Nmap itself, because it is surprised by the received SYN/ack.

NMAP does not care whether the port is enabled or disabled. Both the RST and SYN/ACK responses tell NMAP that the host is running.

On Unix machines, there are usually only privileged users.rootWhether or not the original TCP packet can be sent and received. As a work und, for non-privileged users, NMAP calls connect () for each target host, and sends a SYN packet to try to establish a connection. If connect () returns a success quickly or an econnrefused failure, the following TCP stack must have received a SYN/ACK or RST, and the host will be marked as running. If the connection times out, the host will be down. This method is also used for IPv6
Because NMAP currently does not support original IPv6 packets.

-PA [portlist](Tcp ack Ping)

Tcp ack Ping is similar to SYN Ping. As you may have guessed, the difference is to set the tcp ack flag rather than the SYN flag.
The ACK message confirms a connection attempt, but the connection has not yet been fully established. Therefore, the remote host should always respond to an RST packet because they have not sent connection requests to the machines running NMAP if they are running.

-PAOption to use the same default port (80) as SYN detection, you can also specify the target port list in the same format. If a non-authorized user attempts this function or specifies an IPv6 target, the connect () method previously mentioned will be used. This method is not perfect because it actually sends Syn packets instead of ACK packets.

The reason for providing SYN and ACK Ping detection is that the chances of passing through the firewall are as large as possible. Many administrators configure their routers or other simple firewalls to block Syn packets, unless they connect to public servers such as corporate websites or email servers. This can block connections from other organizations and allow users to access the Internet. This stateless method occupies almost no firewall/router resources and is widely supported by hardware and software filters. Linux Netfilter/iptables firewall software provides convenient
--synTo implement this stateless method. When such a Stateless firewall rule exists, it is sent to disable the SYN Ping detection of the target port (-PS) May be blocked. In this case, Ack detection is exceptionally bright because it uses such rules.

Another common Firewall uses stateful rules to block unexpected packets. This feature already exists only in high-end firewalls, but it has become more and more popular over the years. Linux Netfilter/iptables
--stateThis feature is supported. packets are classified based on the connection status. SYN detection is more likely to be used in such a system, because unheadned ACK packets are often identified as forged and discarded. To solve this dilemma, you can specify
-PSSpecify-PATo send SYN and ack.

-PU [portlist](UDP ping)

Another option discovered by the host is UDP ping, which sends an empty (unless--data-lengthUDP packets are sent to the specified port. The format of the port list is as follows:-PSAnd-PAThe options are the same.
If no port is specified, the default value is 31338. This default value can be changed during compilation.nmap.hThe DEFAULT-UDP-PROBE-PORT value in the file is configured. By default, such a strange port is used because such scanning on open ports is generally undesirable.

If the port of the target machine is disabled, UDP detection should immediately receive a response message that the ICMP port cannot reach. This means that the machine is running for NMAP. Many other types of ICMP errors, such as host/network failures or TTL timeout, indicate down or inaccessible hosts. This is also explained if no response is returned. If an open port is reached, most services only ignore this empty packet and do not respond to it. This is why the default probe port is 31338, which is very unlikely to be used. A few services, such as Chargen, will respond to an empty UDP packet, which indicates to NMAP that the machine is running.

The main advantage of this scan type is that it can pass through the firewall and filter that only filters TCP. For example. I once had a Linksys befw11s4 Wireless Broadband Router. By default, the device's external Nic filters all TCP ports, but UDP detection still triggers a message that the port cannot arrive, exposing itself.

-PE;
-PP;-PM(ICMP ping types)

In addition to the uncommon TCP and UDP host discovery types discussed earlier, NMAP can also send messages from well-known ping programs. NMAP sends an ICMP Type 8 (echo request) packet to the target IP address, and expects a Type 0 (echo response) packet from the running host. Unfortunately, many hosts and firewalls block these packets instead of responding as expected. For more information, see RFC
1122. Therefore, only ICMP scan is not enough for Internet targets. However, it may be an effective way for system administrators to monitor an internal network. Use-PEOption to enable the Echo Request function.

Although the echo request is a standard ICMP ping query, NMAP does not stop here. The ICMP standard (RFC 792) also regulates timestamp requests, Information Request requests, and address mask requests. Their codes are 13, 15, and 17, respectively. Although these queries aim to obtain information such as the address mask and current time, they can also be easily used for host discovery. The system that responds is the running system. Currently, NMAP does not implement information request packets,
Because they are not widely supported yet. RFC 1122 insisted that "the host should not implement these messages ". Time stamp and address mask query can be used separately-PPAnd-PMOption to send. The timestamp response (ICMP Code 14) or address mask response (Code 18) indicates that the host is running. When the Administrator blocks the echo request message and forgets that other ICMP queries may be used for the same purpose, these two queries may be of great value.

-PR(ARP Ping)

One of the most common NMAP scenarios is to scan an Ethernet LAN. In most LAN networks, especially those that use the rfc1918 private address range, most IP addresses are not used at a given time. When NMAP tries to send an original IP packet such as an ICMP Echo Request, the operating system must determine the hardware address (ARP) corresponding to the target IP address so that it can send the Ethernet frame to the correct address. This is generally relatively slow and may cause some problems, because the operating system designers believe that it generally does not make millions of ARP requests to non-running machines in a short time.

During ARP scanning, NMAP uses its optimized algorithm to manage ARP requests. When it receives a response, NMAP does not even need to worry about IP-based ping packets, since it already knows that the host is running. This makes ARP scanning faster and more reliable than IP-based scanning. Therefore, by default, if NMAP finds that the target host is on its LAN, it performs ARP scanning. Even if different Ping types are specified (for example
-PIOr-PS), NMAP will also use ARP for any target machine on the same LAN. If you really do not want ARP scanning, specify
--send-ip.

-n(Domain name resolution not required)

Tell NMAPNeverPerforms Reverse Domain name resolution on the Active IP address it discovers. Since DNS is generally slow, this can make things faster.

-R(Resolve domain names for all targets)

Tell NMAPAlwaysPerforms Reverse Domain name resolution on the target IP address. This operation is generally performed only when the machine is found to be running.

--system-dns(Use the system domain name parser)

By default, NMAP directly sends a query to the domain name server configured on your host to resolve the domain name. To improve performance, many requests (generally dozens) are executed concurrently. If you want to use the system-provided parser, specify this option (call getnameinfo () to resolve an IP address at a time ). Unless the Nmap DNS code has a bug -- if so, contact us. This option is generally not used because it is much slower. The system parser is always used for IPv6 scanning.