Ping sweeps are very important for host discovery. System administrators and penetration testers use them to determine which hosts are online and responding. Nmap implements several ping scanning techniques, including one called an IP protocol ping scan. This technique tries sending different packets using different IP protocols, hoping to get a response indicating that a host is online.
This recipe describes how to perform IP protocol ping scans.
Open your terminal and enter the following command:
# nmap -sP -PO scanme.nmap.org
If the host responded to any of the requests, you should see something like this:
# nmap -sP -PO scanme.nmap.org Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.091s latency). Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
The arguments -sP -PO scanme.nmap.org tell Nmap to perform an IP protocol ping scan of the host scanme.nmap.org.
By default, this ping scan will use the protocols IGMP, IP-in-IP, and ICMP to try to obtain a response that will indicate that the host is online. Using --packet-trace will show more details of what happened behind the curtains:
# nmap -sP -PO --packet-trace scanme.nmap.org SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20 RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28 NSOCK (0.2290s) UDP connection requested to 192.168.1.254:53 (IOD #1) EID 8 NSOCK (0.2290s) Read request from IOD #1 [192.168.1.254:53] (timeout: -1ms) EID 18 NSOCK (0.2290s) Write request for 45 bytes to IOD #1 EID 27 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (0.2290s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.254:53] NSOCK (0.2290s) Callback: WRITE SUCCESS for EID 27 [192.168.1.254:53] NSOCK (4.2300s) Write request for 45 bytes to IOD #1 EID 35 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (4.2300s) Callback: WRITE SUCCESS for EID 35 [192.168.1.254:53] NSOCK (8.2310s) Write request for 45 bytes to IOD #1 EID 43 [192.168.1.254:53]: .............221.244.207.74.in-addr.arpa..... NSOCK (8.2310s) Callback: WRITE SUCCESS for EID 43 [192.168.1.254:53] Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.090s latency). Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds
The three lines marked as SENT show the ICMP, IGMP, and IP-in-IP packets:
SENT (0.0775s) ICMP 192.168.1.102 > 74.207.244.221 Echo request (type=8/code=0) ttl=52 id=8846 iplen=28 SENT (0.0776s) IGMP (2) 192.168.1.102 > 74.207.244.221: ttl=38 id=55049 iplen=28 SENT (0.0776s) IP (4) 192.168.1.102 > 74.207.244.221: ttl=38 id=49338 iplen=20
Out of those three, only ICMP responded:
RCVD (0.1679s) ICMP 74.207.244.221 > 192.168.1.102 Echo reply (type=0/code=0) ttl=53 id=63986 iplen=28
However, this was enough to reveal that this host is online.
You can also set the IP protocols to be used by listing them after the option -PO. For example, to use the protocols ICMP (Protocol number 1), IGMP (Protocol number 2), and UDP (Protocol number 17) the following command can be used:
# nmap -sP -PO1,2,4 scanme.nmap.org
All of the packets sent using this technique will be empty. Remember that you can generate random data to be used with these packets, with the option --data-length:
# nmap -sP -PO --data-length 100 scanme.nmap.org
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP SYN ping scans recipe
- The Discovering hosts with TCP ACK ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts ICMP ping scans recipe
- The Discovering hosts with ARP ping scans recipe
- The Discovering hosts using broadcast pings recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information