Host Discovery
1. -sL (List Scan)
Lists all the target hosts without sending any probes.
nmap -sL 192.168.1.0/24This will output the list of hosts in the 192.168.1.0/24 subnet, including their IPs and reverse DNS names.
2. -sn (No Port Scan)
Performs a host discovery (ping scan) without scanning ports.
nmap -sn 192.168.1.0/24This command will only list the hosts that are up in the 192.168.1.0/24 range, without scanning any ports.
3. -Pn (No Ping)
Skips host discovery and attempts to scan all specified targets regardless of their availability.
nmap -Pn 192.168.1.1-50This will scan IPs 192.168.1.1 to 192.168.1.50 without checking whether they are alive.
4. -PS (TCP SYN Ping)
Sends SYN packets to the specified ports to check if the host is up.
nmap -PS80,443 192.168.1.0/24This will send SYN packets to ports 80 and 443 on the target range 192.168.1.0/24 to check if those hosts are reachable.
5. -PA (TCP ACK Ping)
Sends ACK packets to the specified ports to discover hosts behind firewalls.
nmap -PA80,443 192.168.1.0/24This sends ACK packets to ports 80 and 443, which can bypass firewalls that block SYN packets.
6. -PU (UDP Ping)
Sends UDP packets to the specified ports to detect if the host is up.
nmap -PU53,123 192.168.1.0/24This sends UDP packets to ports 53 (DNS) and 123 (NTP) to discover live hosts.
7. -PY (SCTP INIT Ping)
Sends SCTP INIT packets to specified ports to determine if the host is alive.
nmap -PY80,443 192.168.1.0/24This will send SCTP INIT packets to ports 80 and 443 to check if the target hosts are responsive.
8. -PE (ICMP Echo Request Ping)
Sends ICMP Echo Request (ping) packets to discover hosts.
nmap -PE 192.168.1.0/24This sends a standard ICMP Echo Request to each IP in the 192.168.1.0/24 range to determine if the hosts are up.
9. -PP (ICMP Timestamp Request Ping)
Sends ICMP Timestamp Request packets to discover hosts.
nmap -PP 192.168.1.0/24This sends ICMP Timestamp Request packets to the target hosts, which can also confirm that the hosts are alive.
10. -PM (ICMP Address Mask Request Ping)
Sends ICMP Address Mask Request packets to detect hosts.
nmap -PM 192.168.1.0/24This sends ICMP Address Mask Request packets to find out which hosts respond, indicating they are up.
11. -PO (IP Protocol Ping)
Sends IP packets with specific protocol numbers to identify live hosts.
nmap -PO1,2,4 192.168.1.0/24This sends ICMP (1), IGMP (2), and IP-in-IP (4) protocol packets to the targets in the 192.168.1.0/24 range.
12. --disable-arp-ping (No ARP or ND Ping)
Disables ARP or Neighbor Discovery Ping on local networks.
nmap --disable-arp-ping 192.168.1.0/24This will prevent Nmap from performing ARP requests when scanning a local network.
13. --discovery-ignore-rst (Ignore RST Responses During Discovery)
Ignores RST packets during host discovery to avoid false positives.
nmap --discovery-ignore-rst 192.168.1.0/24This will prevent Nmap from considering RST replies as evidence that a host is up, which is useful for avoiding misinterpretation of RST responses.
14. --traceroute (Trace Path to Host)
Performs a traceroute after completing the scan.
Last updated