In recent years, Nmap has become the de facto tool for network exploration, leaving all other scanners far behind. Its popularity comes from having a vast number of features that are useful to penetration testers and system administrators. It supports several ping and port scanning techniques applied to host and service discovery, correspondingly.

Hosts protected by packet filtering systems, such as firewalls or intrusion prevention systems sometimes cause incorrect results because of rules that are used to block certain types of traffic. The flexibility provided by Nmap in these cases is invaluable, since we can easily try an alternate host discovery technique (or a combination of them) to overcome these limitations. Nmap also includes a few very interesting features to make our traffic less suspicious. For this reason, learning how to combine these features is essential if you want to perform really comprehensive scans.

System administrators will gain an understanding of the inner workings of different scanning techniques, and hopefully motivate them to harden their traffic filtering rules to make their hosts more secure.

This chapter introduces the supported ping scanning techniques—TCP SYN, TCP ACK, UDP, IP, ICMP, and broadcast. Other useful tricks are also described, including how to force DNS resolution, randomize a host order, append random data, and scan IPv6 addresses.

Don't forget to also visit the reference guide for host discovery, hosted at http://nmap.org/book/man-host-discovery.html.