Perform Host Discovery with Nmap

Introduction

In this lab, the goal is to learn how to perform host discovery using Nmap. The lab covers various Nmap commands for host discovery, including running a ping scan on the 192.168.1.0/24 network with the -sn option to disable port scanning, using TCP SYN ping and ACK ping, and combining different pings. It also shows how to view live hosts in the Xfce terminal. Additionally, it demonstrates performing a ping scan on the localhost address while disabling port scanning.

This is a Guided Lab, which provides step-by-step instructions to help you learn and practice. Follow the instructions carefully to complete each step and gain hands-on experience. Historical data shows that this is a beginner level lab with a 94% completion rate. It has received a 100% positive review rate from learners.

Run Ping Scan with Nmap

In this step, you will perform a basic ping scan using Nmap to identify active hosts on a network. A ping scan, also known as host discovery, is a fundamental technique to determine which hosts are online. Nmap sends various probes to each IP address in the specified range and analyzes the responses to identify active hosts. The -sn option in Nmap disables port scanning, making the scan faster and less intrusive than a full port scan.

The 192.168.1.0/24 is a CIDR notation representing a network. The /24 indicates that the first 24 bits of the IP address are fixed, defining the network, and the remaining 8 bits are used for host addresses within that network. This translates to a range of IP addresses from 192.168.1.1 to 192.168.1.254.

To perform a ping scan on the 192.168.1.0/24 network, open your terminal (if not already open) and execute the following command:

sudo nmap -sn 192.168.1.0/24

This command instructs Nmap to perform a ping scan on all IP addresses within the 192.168.1.0/24 network. The sudo command is used because Nmap often requires elevated privileges to send certain types of network packets.

In this lab environment, the 192.168.1.0/24 network doesn't contain any active hosts, so you'll see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:49 CST

The scan completes without showing any host reports, indicating that no hosts responded to the ping probes in this network range. In a real-world scenario with active hosts, you would see output like:

Starting Nmap 7.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZZZ
Nmap scan report for 192.168.1.1
Host is up (0.000XXs latency).
Nmap scan report for 192.168.1.10
Host is up (0.002XXs latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.XX seconds

Next, you will perform a ping scan on the localhost address (127.0.0.1) while disabling port scanning. This demonstrates how to use the -sn option specifically for host discovery without initiating a full port scan. This is useful when you only want to check if a host is alive and avoid potentially noisy or time-consuming port scans.

127.0.0.1 is the loopback address, also known as localhost. It always refers to the current machine. Pinging localhost is a quick way to verify that the network interface is functioning correctly.

To perform a ping scan on localhost without port scanning, execute the following command in your terminal:

sudo nmap -sn 127.0.0.1

This command tells Nmap to perform a ping scan on the 127.0.0.1 address. The -sn option ensures that Nmap only performs host discovery and does not attempt to scan any ports.

The output will indicate whether the host is up. It should look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:49 CST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

This output confirms that the localhost (127.0.0.1) is up and running. Nmap only performed a ping scan, as specified by the -sn option, and did not scan any ports.

Perform TCP SYN and ACK Ping Scans

In this step, you will use Nmap to perform TCP SYN and ACK ping scans. These techniques are often more reliable than ICMP ping because many firewalls block ICMP traffic but allow TCP traffic.

First, let's try a TCP SYN ping scan on 192.168.1.1 to demonstrate what happens when a host is not reachable. A TCP SYN ping sends a TCP SYN packet to the target host. If the host is up and listening on the specified port (or any port by default), it will respond with a SYN/ACK packet. Nmap then resets the connection by sending an RST packet.

The -PS option in Nmap specifies that you want to use a TCP SYN ping. By default, Nmap sends the SYN packet to port 80.

To perform a TCP SYN ping scan on 192.168.1.1, execute the following command in your terminal:

sudo nmap -PS 192.168.1.1

This command tells Nmap to send a TCP SYN packet to port 80 of the host 192.168.1.1. sudo is required because Nmap needs elevated privileges to craft and send raw TCP packets.

Since 192.168.1.1 is not reachable in this lab environment, you'll see output like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:49 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.10 seconds

This output shows that Nmap could not reach 192.168.1.1. The message suggests using -Pn if you suspect the host is up but blocking ping probes.

Now, let's perform a TCP SYN ping scan on localhost (127.0.0.1) to see how it works when the host is reachable:

sudo nmap -PS 127.0.0.1

This will show output similar to:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:50 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

This output shows that Nmap successfully detected localhost as up and also performed a port scan, showing the open ports on the system.

Next, you will perform an ACK ping scan. An ACK ping sends a TCP ACK packet to the target host. Unlike SYN ping, which attempts to establish a connection, ACK ping sends a packet that appears to be part of an already established connection. Firewalls often have rules to handle incoming ACK packets differently than SYN packets, making ACK ping useful for bypassing some firewall configurations.

The -PA option in Nmap specifies that you want to use a TCP ACK ping. By default, Nmap sends the ACK packet to port 80.

First, let's try the ACK ping on 192.168.1.1:

sudo nmap -PA 192.168.1.1

As expected, this will show that the host is down:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:50 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.11 seconds

Now, let's perform a TCP ACK ping scan on localhost to see the successful case:

sudo nmap -PA 127.0.0.1

This will produce output similar to:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:50 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

This output shows that Nmap sent a TCP ACK packet to localhost and received a response, indicating that the host is up. The scan also shows the open ports on the system.

Combine Ping Scan Techniques

In this step, you will learn about combining TCP SYN and ACK ping scans using Nmap to discover live hosts on a network. Combining different ping types can increase the reliability of host discovery, as some hosts might respond to one type of ping but not another due to firewall rules or network configurations.

By using both -PS and -PA options, Nmap will send both TCP SYN and TCP ACK packets to each host in the specified network. This increases the chances of detecting live hosts, especially in environments with restrictive firewalls.

First, let's try the combined scan on the 192.168.1.0/24 network to demonstrate what happens when no hosts are present:

sudo nmap -PS -PA 192.168.1.0/24

This command tells Nmap to send both TCP SYN and TCP ACK packets to port 80 of each host in the 192.168.1.0/24 network. sudo is required because Nmap needs elevated privileges to craft and send raw TCP packets.

Since there are no active hosts in this network range in our lab environment, you'll see output like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:51 CST

The scan completes without showing any host reports, indicating that no hosts responded to either the SYN or ACK ping probes in this network range.

In a real-world scenario with active hosts, the output would look similar to this:

Starting Nmap 7.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZZZ
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0015s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.XX seconds

This would show that Nmap scanned the 192.168.1.0/24 network and found three live hosts that responded to the combined ping techniques.

To demonstrate the combined ping technique with a working example, let's use it on localhost:

sudo nmap -PS -PA 127.0.0.1

This will produce output showing that localhost responds to both ping types:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:51 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Finally, you can review the commands you've executed in the terminal to identify the techniques you've learned using Nmap. The terminal keeps a history of the commands you've run, which can be useful for reviewing your work and verifying the results of your scans.

To view the command history in the terminal, you can use the history command. This command will display a numbered list of the commands you've previously executed.

Type the following command and press Enter:

history

This will display a list of your recent commands. Scroll through the list to find the Nmap commands you used in the previous steps, specifically the commands using -sn, -PS, and -PA to perform ping scans.

For example, you should see commands like:

  1  sudo nmap -sn 192.168.1.0/24
  2  sudo nmap -sn 127.0.0.1
  3  sudo nmap -PS 192.168.1.1
  4  sudo nmap -PS 127.0.0.1
  5  sudo nmap -PA 192.168.1.1
  6  sudo nmap -PA 127.0.0.1
  7  sudo nmap -PS -PA 192.168.1.0/24
  8  sudo nmap -PS -PA 127.0.0.1
  9  history

By reviewing these commands and their output (which you should have noted in the previous steps), you can confirm the different ping techniques you've learned and how they behave with both reachable and unreachable hosts. The history command is a useful tool for auditing your work and ensuring that you have correctly performed the steps in this lab.

Note: The exact output of the history command will depend on the commands you have run in your terminal session.

Summary

In this lab, you have learned to perform host discovery using Nmap. You started by conducting a ping scan on the 192.168.1.0/24 network with the -sn option to disable port scanning, which is faster and less intrusive. You also performed a ping scan on the localhost address 127.0.0.1 while disabling port scanning. Additionally, you explored different ping types, such as TCP SYN ping with -PS, ACK ping with -PA, and a combined ping with -PS -PA, to effectively identify live hosts in various network scenarios. Finally, you learned how to review your command history in the terminal to verify your actions and discovered hosts.