nmap scan options

I’m trying to learn something about the quality of a wireless Internet link in a house in Nevada County. Unfortunately the last couple of hops are invisible; my guess is the ISP is blocking all ICMP and other stuff at the boundary between their wired network and wireless network. Fair enough, but I really want to see inside that wireless link.

Sadly everything I’ve tried has failed, they’ve really got the link buttoned down. An ICMP traceroute does show me some promising looking networks before my destination but the latency seems too low to be wireless and there’s not much I can learn. Anyway, here’s some notes on using nmap’s more exotic options for probing a network.

nmap has a rich variety of host discovery options. Here’s some notes on various probe options. You have to be root to do a lot of this. In most cases nmap’s strategy is to send a packet hoping to get any sort of reply, it doesn’t care what the reply is, just something that verifies the host exists and is running an IP stack. It seems to send the probe twice, at least in some cases

  • -Pn: no discovery, just assume the host is up.
  • -PS: TCP SYN. Tries to open a TCP port; getting back an ACK or RST will both confirm the host is online, so it works whether the port is open or not. Default is port 80, do “-PS99” or whatever to change the port number.
  • -PA: TCP ACK. Sends a bogus ACK, expecting a RST back.
  • -PU: UDP. Should get an ICMP port unreachable response.
  • -PY: SCTP INIT. Similar to -PS, but tries to open an SCTP connection.
  • -PE: ICMP echo. Good ol ping
  • -PP: ICMP timestamp. One of those tech dead ends that should be removed or disabled (indeed, it’s not present in IPv6). My Linux server seems to respond with the correct time!
  • -PM: ICMP address mask. A way to query the subnet mask. Kind of a useful thing really, but Linux doesn’t seem to answer it. Maybe disabled for security?
  • -PO: IP protocol ping. Sends unusual IP protocol requests; ICMP, IGMP, and IP-in-IP by default. My Linux datacenter box doesn’t respond to IGMP or IP-in-IP probes.
  • -PR: ARP ping. For local ethernets only, bypasses the kernel’s ARP handling and handles ARP itself.  Any ARP reply implies the host exists. Note this is on by default for local networks and short-circuits other types of requests.

The default is -PE -PS443 -PA80 -PP: ping, TCP probes of HTTPS and HTTP, then ICMP timestamp. The default is also to do -PR when scanning ethernet local addresses.

Some other useful flags:

  • -sn: don’t scan ports, just probe to see if the host exists
  • -n: skip DNS and reverse DNS
  • -v: verbose output
  • –send-ip: send IP packets (rather than raw ethernet). Has the side effect of bypassing ARP ping. There’s supposed to be a “–disable-arp-ping” option but it’s not in nmap 6.0.1.
  • –traceroute: uses an existing probe method to do a full traceroute. Very clever way to map a network even when most stuff is shut down; if you can get a response from, say, ICMP timestamps you can use that to do the traceroute.

Here’s a screenshot of Wireshark after a bunch of probes to my remote Linux box.