difference between icmp ping scan and normal ping scan

Question

I'm learning to use nmap on my kali linux and was testing out the various types of scans available in it.

-sn is for ping scan which basically prevents nmap from scanning all the ports (and probably scans one port).

Then scrolling down the nmap help I found another option -PE which is the ICMP scan. I studied a bit on it and came to know it sends a request to the destination host to check whether it is up or not and receives a reply query as a response if the host is up. But, it is again a ping scan.

But, I'm not able to figure out what is the difference between the two. Is one more effective than the other? Please can you explain does a normal ping scan do?

To clarify, you're asking for the difference between `-sn` and `-PE`? — , Sep 03 '21 at 13:20
@MechMK1 yes, the difference between -sn and -PE and bit on what -sn does exactly — weebHackr, Sep 03 '21 at 13:22
By the way, it's "echo request" and "ICMP query". It is not usual to say "request query". It also sounds redundant. — schroeder, Sep 04 '21 at 07:25
@schroeder i see. Thank you for pointing it out. Can you please edit the question and make it right? — weebHackr, Sep 05 '21 at 06:28

score 5 · Accepted Answer · 2021-09-06T13:35:05.213

To answer this question, we can look at the nmap manual:

HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host

You see, nmap has several "phases" during a scan. In the first phase, called Host Discovery, all targets are pinged, to see if they are online. During the second phase, the actual port scan is performed.

The commands -sL, -sn and -Pn modify this behavior. -sL only lists the targets to be scanned, skipping both the host discovery and the port scan phase. -sn only performs the host discovery, skipping the port scan completely. And -Pn skips the host discovery, performing a port scan on all hosts as if the ping scan returned successfully on all of them.

On the other hand, -PE, -PP and -PM modify exactly how the Host Discovery is performed. The manual page on host discovery states the following:

If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.

So the -PE option, if specified, means that a simple ICMP Echo request is sent, exactly as if using the ping utility on the host. If no other options are specified, that is the only thing that is done. So it's actually less comprehensive than not explicitly noting -PE.

tl;dr

-sn and -PE are two completely different options. -sn specifies that no port scan should be performed. -PE explicitly specifies one way of performing host discovery, with -PP and -PM being alternatives.

difference between icmp ping scan and normal ping scan

1 Answers1

tl;dr