Skip to main content

Nmap: how to PING (part-18)

ICMP Timestamp Ping

The -PP option performs an ICMP timestamp ping.

Usage syntax: nmap -PP [target]
# nmap -PP 192.168.1.254
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:27 CDT
Interesting ports on home (192.168.1.254):
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
Performing an ICMP timestamp ping


While most firewalled systems are configured to block ICMP echo requests, some
improperly configured systems may still reply to ICMP timestamp requests. This
makes -PP useful for attempting to solicit responses from firewalled targets.




ICMP Address Mask Ping
The -PM option performs an ICMP address mask ping.
Usage syntax: nmap -PM [target]
# nmap -PM 192.168.1.254
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:26 CDT
Interesting ports on home (192.168.1.254):
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds
Performing an ICMP address mask ping
This unconventional ICMP query (similar to the -PP option) attempts to ping the
specified host using alternative ICMP registers. This type of ping can occasionally
sneak past a firewall that is configured to block standard echo requests.




IP Protocol Ping
The -PO option performs an IP protocol ping.
Usage syntax: nmap -PO[protocol1,protocol2,etc] [target]
# nmap -PO 10.10.1.48
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-17 09:38 CDT
Interesting ports on 10.10.1.48:
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open
ftp
22/tcp open
ssh
25/tcp open
smtp
80/tcp open
http
111/tcp open
rpcbind
2049/tcp open
nfs
MAC Address: 00:0C:29:D5:38:F4 (VMware)

Performing an IP protocol ping




An IP protocol ping sends packets with the specified protocol to the target. If no
protocols are specified the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are
used. To ping using a custom set of protocols, use the following syntax:
nmap -PO1,2,4,etc.

NOTE
A complete list of Internet Protocol numbers can be found online at www.iana.org/assignments/protocol-numbers/


ARP Ping
The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target.
Usage syntax: nmap -PR [target]
# nmap -PR 192.168.1.254
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:16 CDT
Interesting ports on 192.168.1.254:
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
Performing an ARP ping


The -PR option is automatically implied when scanning the local network. This type
of discovery is much faster than the other ping methods described in this guide. It
also has the added benefit of being more accurate because LAN hosts can’t block
ARP requests (even if they are behind a firewall).

NOTE
APR scans cannot be performed on targets that are not on your local subnet.