Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Discovering hosts with TCP ACK ping scans

Similar to the TCP SYN ping scan, the TCP ACK ping scan is used to determine if a host is responding. It can be used to detect hosts that block SYN packets or ICMP echo requests, but it will most likely be blocked by modern firewalls that track connection states.

The following recipe shows how to perform a TCP ACK ping scan and its related options.

How to do it...

Open a terminal and enter the following command:

# nmap -sP -PA <target>

How it works...

A TCP ACK ping scan works in the following way:

  • Nmap sends an empty TCP packet with the ACK flag set to port 80
  • If the host is offline, it should not respond to this request
  • If the host is online, it returns an RST packet, since the connection does not exist

There's more...

It is important to understand that there will be cases when this technique will not work. Let's launch a TCP ACK ping scan against one of these hosts.

# nmap -sP -PA 0xdeadbeefcafe.com 


Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn 
Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds

The host is shown as offline, but let's try a TCP SYN ping scan with the same host.

# nmap -sP -PS 0xdeadbeefcafe.com 


Nmap scan report for 0xdeadbeefcafe.com (50.116.1.121) 
Host is up (0.090s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds

We discovered that the host was online, but blocking thos ACK packets.

Privileged versus unprivileged TCP ACK ping scan

TCP ACK ping scans need to run as a privileged user, otherwise a system call connect() is used to send an empty TCP SYN packet. Hence, TCP ACK ping scans will not use the TCP ACK technique, previously discussed, as an unprivileged user, and it will perform a TCP SYN ping scan instead.

Selecting ports in TCP ACK ping scans

Additionally, you can select the ports to be probed using this technique, by listing them after the flag -PA:

# nmap -sP -PA21,22,80 <target>
# nmap -sP -PA80-150 <target>
# nmap -sP -PA22,1000-65535 <target>

See also

  • The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
  • The Discovering hosts with TCP SYN ping scans recipe
  • The Discovering hosts with UDP ping scans recipe
  • The Discovering hosts with ICMP ping scans recipe
  • The Discovering hosts with IP protocol ping scans recipe
  • The Discovering hosts with ARP ping scans recipe
  • The Discovering hosts using broadcast pings recipe
  • The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information
上一章目录下一章