# Nmap Host Discovery

Source file

# cat ip_list.txt
# nmap -n -sL -iL ip_list.txt

Reverse DNS resolution

# cat /etc/resolv.conf
# nmap --dns-servers -sL

Only ping scan -sP

ICMP echo request -PE:

# nmap --dns-servers -sP -PE

ICMP timestamp request -PP:

# nmap --dns-servers -sP -PP

ICMP address mask request -PM:

# nmap --dns-servers -sP -PM

TCP SYN ping -PS:

# nmap --dns-servers -sP -PS80

TCP ACK ping -PA:

# nmap --dns-servers -sP -PA80

UDP ping -PU:

# nmap --dns-servers -sP -PU53

IP protocol ping -PO:

# nmap --dns-servers -sP -POicmp,igmp

ARP scan -PR (local ethernet host):

# nmap --dns-servers -sP -PR

Related options:

--source-port _port_
-n disables DNS resolution
--data-length _length_ adds random bytes to every packet
--ttl _value_
-T3, -T4, -T5 speed up ping scanning
--max-parallelism _value_
--max-rtt-timeout _value_ how long nmap waits for a ping response
-oA, -oN, -oG, -oX different outputs
--packet-trace provides more detail
--D _decoy1_ adds some noise

Spoof your real source address -e _intf_ -S _spoofed-ip_:

# nmap --dns-servers -sP -PS80 -e ppp0 -S

Skip discovery stage -PN and begin default scanning stage

No matter if the host is up and running:

# nmap -PN

No comments: