Discovering hosts with TCP SYN ping scans
Ping scans are used for detecting live hosts in networks. Nmap's default ping scan (-sP) uses a TCP ACK and an ICMP echo request to determine if a host is responding, but if a firewall is blocking these requests, we will miss this host. Fortunately, Nmap supports a scanning technique called the TCP SYN ping scan that is very handy in these situations, where system administrators could have been more flexible with other firewall rules.
This recipe will talk about the TCP SYN ping scan and its related options.
How to do it...
Open your terminal and enter the following command:
$ nmap -sP -PS 192.168.1.1/24
You should see the list of hosts found using the TCP SYN ping scan:
$ nmap -sP -PS 192.168.1.1/24 Nmap scan report for 192.168.1.101 Host is up (0.088s latency). Nmap scan report for 192.168.1.102 Host is up (0.000085s latency). Nmap scan report for 192.168.1.254 Host is up (0.0042s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 18.69 seconds
How it works...
The argument -sP tells Nmap to perform a ping scan, which only consists of discovering online hosts.
The flag -PS forces a TCP SYN ping scan. This type of ping scan works in the following way:
- Nmap sends a TCP SYN packet to port 80.
- If the port is closed, the host responds with an RST packet.
- If the port is open, the host responds with a TCP SYN/ACK packet indicating that a connection can be established. Afterwards, an RST packet is sent to reset this connection.
The CIDR /24 in 192.168.1.1/24 is used to indicate that we want to scan all of the 256 IPs in our private network.
There's more...
Let's launch a ping scan against a host that does not respond to ICMP requests.
# nmap -sP 0xdeadbeefcafe.com Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds
The host is marked as offline, but let's try to force a TCP SYN ping scan:
# nmap -sP -PS 0xdeadbeefcafe.com Nmap scan report for 0xdeadbeefcafe.com (50.116.1.121) Host is up (0.090s latency). Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
This time we discovered that this particular host was indeed online, but behind a system filtering TCP ACK or ICMP echo requests.
Running a TCP SYN ping scan as an unprivileged user who can't send raw packets makes Nmap use the system call connect() to send the TCP SYN packet. In this case, Nmap distinguishes a SYN/ACK packet when the function returns successfully, and an RST packet when it receives an ECONNREFUSED error message.
During a TCP SYN ping scan, Nmap uses the SYN/ACK and RST responses to determine if the host is responding. It is important to note that there are firewalls configured to drop RST packets. In this case, the TCP SYN ping scan will fail unless we specify an open port:
$ nmap -sP -PS80 <target>
You can set the port list to be used with -PS (port list or range) as follows:
$ nmap -sP -PS80,21,53 <target> $ nmap -sP -PS1-1000 <target> $ nmap -sP -PS80,100-1000 <target>
See also
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP ACK ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts with ICMP ping scans recipe
- The Discovering hosts with IP protocol ping scans recipe
- The Discovering hosts with ARP ping scans recipe
- The Discovering hosts using broadcast pings recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information