Guardian of the Truth

Bug Bounty

Host Discovery Techniques with Nmap

Host Discovery Techniques with Nmap

ICMP ECHO Ping Sweep

$nmap -sn -PE <ip>

Nmap helps attackers perform a ping sweep to discover live hosts within a range of IP addresses. In Zenmap, the PE option is used to conduct an ICMP ECHO ping sweep for a list of IP addresses.

ICMP Timestamp Ping Scan

$nmap -sn -PP <ip>

In addition to the standard ICMP ECHO ping, there are other ICMP pinging techniques available for use in certain situations, such as ICMP timestamp ping scan and ICMP address mask ping scan.
ICMP timestamp ping is a customizable type of ICMP ping that allows attackers to query for timestamp-related information from the target host. The target machine will respond with a timestamp reply to every timestamp query received. However, the response depends on the target system's configuration, and it may either provide the timestamp or not. This ICMP timestamp pinging is commonly used for time synchronization. In Zenmap, the PP option is used to perform an ICMP timestamp ping scan.

ICMP Address Mask Scan

$nmap -sn -PM <ip>

ICMP address mask ping is another alternative to standard ICMP ECHO ping, where attackers send an ICMP address mask query to the target to gather information about its subnet mask. However, the response depends on the configuration of the target, and the reply may include the subnet information, or it might not. This ping technique is effective when the attacker is trying to discover active hosts while bypassing blocked ICMP ECHO ping requests. In Zenmap, the PM option is used to perform an ICMP address mask ping scan.

TCP SYN Ping Scan

$nmap -sn -PS <ip>

TCP SYN ping is a host discovery technique used to determine whether specific ports are online. In this method, an attacker sends a SYN packet to the target, and the target responds with an ACK if the port is open. If an ACK is received, the attacker knows that the target host is online. Zenmap uses the -PS option for this type of scan.

TCP ACK Ping Scan

$nmap -sn -PA <ip>

TCP ACK ping, although similar to TCP SYN ping, uses an ACK packet instead of SYN. The attacker sends an ACK packet to the target, and if the target host is online, it will respond with an RST (Reset) packet to terminate the connection. The presence of the RST packet indicates that the host is online. Zenmap uses the -PA option for TCP ACK ping scans.

IP Protocol Ping Scan

$nmap -sn -PO <ip>

IP Protocol Ping uses the protocol number of a specific protocol to send an IP packet to the target. This technique is used for probing hosts using various IP protocols like TCP and UDP.


There may have been some translation errors due to time constraints, so kindly review and correct them if necessary. We apologize for any mistakes.