Skip to content

03. Nmap Host Discovery

1. nmap -sn 192.168.0.1 or nmap -sn 192.168.0.1/24

Purpose:
This command performs host discovery without port scanning.

  • Option -sn:

    • "Ping Scan" mode: It disables the port scan and only checks if the hosts are online.
    • Sends ICMP echo requests (ping) or ARP requests (on LAN) to detect live hosts.

    • Target:

    • 192.168.0.1: Scans a single IP address.

    • 192.168.0.1/24: Scans all the hosts in the network range (subnet) from 192.168.0.1 to 192.168.0.254.

    • Use Case:

    • Useful for quickly identifying live systems in a network without performing intrusive scans.

    • Ideal when checking for active hosts without needing details about services or open ports.

Example Output:

  • Reports which hosts are "up" (alive) in the given IP range.

2. nmap -Pn 192.168.0.1 or nmap -Pn 192.168.0.1/24

Purpose:
This command skips the ping check and assumes the target hosts are online, proceeding directly to port scanning.

  • Option -Pn:

    • Disables host discovery ("No ping").
    • Skips the default ICMP, TCP SYN, or ARP checks used to determine if a host is live.
    • Directly performs the scan on the target IP(s) without verifying if the hosts are "up."

    • Target:

    • 192.168.0.1: Scans a single IP address.

    • 192.168.0.1/24: Scans all hosts in the specified subnet range.

    • Use Case:

    • Use when:

      1. A firewall or security system is blocking ping requests.
      2. You want to ensure all IPs are scanned, even if they do not respond to pings.
    • Often used in scenarios where stealth or deeper scans are required.

Example Output:

  • Results will include open ports and services on the scanned hosts, regardless of whether they respond to ping.
Comparison Between -sn and -Pn
Feature -sn -Pn
Host Discovery Yes, pings or ARP requests are used. No, assumes all hosts are alive.
Port Scanning No, only detects live hosts. Yes, performs port scanning directly.
Use Case Quick check for live hosts. Bypasses ping-blocking firewalls.
Practical Tips:
  1. Use -sn for a quick, non-intrusive scan of live hosts.
  2. Use -Pn if you suspect the target is behind a firewall or blocking ping requests.
  3. For large networks (192.168.0.1/24), use caution with -Pn as it may take longer and generate more network traffic.