Host Discovery

1. -sL (List Scan)

Lists all the target hosts without sending any probes.

nmap -sL 192.168.1.0/24

This will output the list of hosts in the 192.168.1.0/24 subnet, including their IPs and reverse DNS names.

2. -sn (No Port Scan)

Performs a host discovery (ping scan) without scanning ports.

nmap -sn 192.168.1.0/24

This command will only list the hosts that are up in the 192.168.1.0/24 range, without scanning any ports.

3. -Pn (No Ping)

Skips host discovery and attempts to scan all specified targets regardless of their availability.

nmap -Pn 192.168.1.1-50

This will scan IPs 192.168.1.1 to 192.168.1.50 without checking whether they are alive.

4. -PS (TCP SYN Ping)

Sends SYN packets to the specified ports to check if the host is up.

nmap -PS80,443 192.168.1.0/24

This will send SYN packets to ports 80 and 443 on the target range 192.168.1.0/24 to check if those hosts are reachable.

5. -PA (TCP ACK Ping)

Sends ACK packets to the specified ports to discover hosts behind firewalls.

nmap -PA80,443 192.168.1.0/24

This sends ACK packets to ports 80 and 443, which can bypass firewalls that block SYN packets.

6. -PU (UDP Ping)

Sends UDP packets to the specified ports to detect if the host is up.

nmap -PU53,123 192.168.1.0/24

This sends UDP packets to ports 53 (DNS) and 123 (NTP) to discover live hosts.

7. -PY (SCTP INIT Ping)

Sends SCTP INIT packets to specified ports to determine if the host is alive.

nmap -PY80,443 192.168.1.0/24

This will send SCTP INIT packets to ports 80 and 443 to check if the target hosts are responsive.

8. -PE (ICMP Echo Request Ping)

Sends ICMP Echo Request (ping) packets to discover hosts.

nmap -PE 192.168.1.0/24

This sends a standard ICMP Echo Request to each IP in the 192.168.1.0/24 range to determine if the hosts are up.

9. -PP (ICMP Timestamp Request Ping)

Sends ICMP Timestamp Request packets to discover hosts.

nmap -PP 192.168.1.0/24

This sends ICMP Timestamp Request packets to the target hosts, which can also confirm that the hosts are alive.

10. -PM (ICMP Address Mask Request Ping)

Sends ICMP Address Mask Request packets to detect hosts.

nmap -PM 192.168.1.0/24

This sends ICMP Address Mask Request packets to find out which hosts respond, indicating they are up.

11. -PO (IP Protocol Ping)

Sends IP packets with specific protocol numbers to identify live hosts.

nmap -PO1,2,4 192.168.1.0/24

This sends ICMP (1), IGMP (2), and IP-in-IP (4) protocol packets to the targets in the 192.168.1.0/24 range.

12. --disable-arp-ping (No ARP or ND Ping)

Disables ARP or Neighbor Discovery Ping on local networks.

nmap --disable-arp-ping 192.168.1.0/24

This will prevent Nmap from performing ARP requests when scanning a local network.

13. --discovery-ignore-rst (Ignore RST Responses During Discovery)

Ignores RST packets during host discovery to avoid false positives.

nmap --discovery-ignore-rst 192.168.1.0/24

This will prevent Nmap from considering RST replies as evidence that a host is up, which is useful for avoiding misinterpretation of RST responses.

14. --traceroute (Trace Path to Host)

Performs a traceroute after completing the scan.