Re: At what point NMAP decides if host is UP ?

[MadHat <madhat () unspecific com>]

On Aug 5, 2004, at 12:53 PM, micro dev wrote:

> Hi,
> I use TCP SYN scan to scan remote hosts and also use OS fingerprinting.
> I use command something like that -
>
> nmap -sS -O -p <port list> <ip address>
> I also depend upon nmap response to find if host is UP or DOWN.
>
> So I am just qurious to know how NMAP will decide if host is UP if 
> command listed above is used.
> Does it use ICMP at all in this case ?
>
> If NMAP uses SYN packets to find if host is UP, then it uses any 
> default port or uses list of ports specified in the command.

By default it will use port 80, you can force it to use another port 
with -PS#

If you run it as root, you can use an ICMP Echo-Request, other wise, as 
the man pages state under a descript of -P0 for not pinging before 
scanning, "By default, Nmap sends ... a  TCP ACK packet to port 80."

I have ICMP open on the networks I deal with, so I run as root and use 
-PE to use ICMP Echo-Request to tell if a host is up.  If I am 
searching a large set of hosts for a specific port, say 22 for example, 
I will use -PS22 -p22, and it will only scan once, instead of first 
sending the port 80 request to see if it is up, then send the port 22 
to test the port.  This speeds up scanning by quite a bit in many 
cases.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org