If you have been following the NMAP articles I have written then you may have noticed something important about the scans. NMAP prefers to perform a Ping. A Ping to NMAP is a test to verify that the system to be scanned is really on-line and exists. If NMAP is to scan multiple systems on a subnet, or a whole subnet, then it will first test which systems are available to scan. If we use the parameter -P0 or -Pn then we cause NMAP to skip the test for availability. NMAP will assume the systems to scan are on-line. If you need to scan 200 IP Addresses and all of them are off-line and each scan takes 10 seconds then the whole scan can take over 30 minutes! The problem is that too many Pings on a network can show an administrator that the network is being scanned. What can you do? Try a different Ping type available to NMAP. NOTE: Most of these types are not actual Pings, but they allow NMAP to verify that a system is on-line. If a system is deemed off-line then NMAP will not waste the time to scan the IP Address. Types of Ping There are five different types of NMAP Pings to discuss. Two are mainly for use on local networks and the others are useful across subnets including through firewalls. Be aware of the existence of these methods for NMAP to verify that a system is on. If you are an administrator of a network then you can watch for these specific kinds of network traffic. The different Ping types are: ICMP Echo (TCP/IP Ping) ARP Request TCP SYN Ping TCP ACK Ping UDP Ping Combination NOTE: The sixth Ping is a combination of other Ping types. I listed it to be able to cover the idea, but there are really only five Ping types. ICMP Echo Request On any system with TCP/IP installed there should be a PING utility which uses Internet Control Message Protocol (ICMP) Echo Request to verify if a system is available. The typical Ping command can be given an IP Address or a DNS name to ‘Ping’ another TCP/IP system or device. The source system will send an ICMP Echo Request. When the target system receives the request it will reply with an ICMP Echo Reply. Once the Reply is received then NMAP knows that the system is available to be scanned. Usually the ICMP Echo Request will only work on a local subnet since most firewalls will block ICMP messages. ARP Request The second way that NMAP can detect that a system is on-line is to request the Media Access Control (MAC) Address to see if the system is on-line to be scanned. The MAC Address is a unique ID which is burned into every Network Interface Card (NIC). MAC Addresses are used for sending packets on a local network and not the IP Addresses. IP Addresses are used when going outside the Local Area Network (LAN). For some programs you may enter in an IP Address, but these addresses are converted to a MAC Address. When a system needs to communicate with another system the system name or IP Address is used. Locally, the name or address is used to find the MAC Address through an ARP Request. The MAC Address is then stored in the local ARP Cache. The ARP Cache is a small database which performs a lookup to find the MAC Address for a system. If one is not found then a request is broadcast to all systems on the LAN. If a system receives an ARP Request that matches its system name or IP Address then it will respond with an ARP Reply. The ARP Reply will include the MAC Address. The local system will then add the MAC Address and IP Address to the ARP Cache. To see your ARP Cache, open a Terminal and type the command ‘arp’. If the system receives an ARP Reply then it shows that the other system is on-line and can be scanned. It is nothing for an administrator to see ARP Requests on a network. ARP Requests are usually filtered by a Firewall. If you send a request to a remote system the local system will send the packet to the MAC Address of the Gateway. The Gateway will handle the packet from there. If no Ping parameter is specified then the ARP Ping is used by default. TCP SYN Ping The SYN and ACK are used in a three-way handshake. They operate similarly in determining if a system is on-line. With the TCP SYN Ping, the local system will start a three-way handshake with a Target System. The Target System can be on a Local Network or not. The TCP SYN requests can be sent through a Firewall, but they can be blocked. A request is sent to a system which includes a Port number. The Port Number should be a commonly used Port such as 80. When the Remote System receives the request to open a connection it can produce three consequences. The first is that the Remote System responds with a SYN/ACK which means it is ready to open a connection. Since a response was received then NMAP knows the system is on-line. The second possibility is to respond with a Reset (RST) response. The response means that the specified Port is now open for connections. NMAP then knows that the system is on-line since it has responded. The final possibility is that no response is received. No response could mean that the packet was filtered out by a Firewall. Most likely it means that the system is off-line. To use the TCP SYN Ping you must have Root privileges and use the parameter ‘-PS’. TCP ACK Ping In a three-way handshake the process of opening a line of communications between two systems is as follows: The Source System sends a SYN to a Target to start communications The Target responds with a SYN/ACK to acknowledge it is okay to proceed with establishing communications The Source will either send an ACK to acknowledge setting up communications or a RST to reset and end the communications In this process, the second part of the three-way handshake is performed first. The Target System will see that it has not initiated a three-way handshake and send a Reset (RST) to the Source system. In this way NMAP knows the system is on-line. To use the TCP ACK Ping you need to have Root privileges and use the paramter ‘-PA’. UDP Ping A User Datagram Protocol (UDP) Ping is performed when a Source system sends a UDP datagram to a Target system at a high Port number. Firewalls do not normally block UDP datagrams especially at higher Port numbers. NMAP will default to the Port 31,338. NMAP is hoping to receive back an ICMP reply that the Port is unreachable for the Target system. NMAP will know that the system is up and running. Since UDP Datagrams are connectionless, meaning there is no guarantee of delivery, then this method can be unreliable. As a last resort it may produce the desired results. To use the UDP Ping method, include the parameter ‘-PU’ and have Root privileges. Combination When performing a default scan of the local subnet NMAP will use an ARP Request to determine if the Target system is on-line. If you go outside of the subnet and use defaults NMAP will perform a TCP ACK and ICMP Echo Request to determine if the Target system is on-line. It is possible that one of the packets may be blocked by a Firewall, but it adds assurance of getting a response from a remote system. Try these scans out and see how Wireshark shows the ping methods and how the responses are given. Having an understanding of how NMAP determines a system is on-line gives you more knowledge of what is occurring. Happy scanning!