15

I am trying to do a nmap scan on a machine in my home network. When I do the regular scan (using nmap 192.168.2.10 or nmap -sP 192.168.2.10), the results say host is down. However, when I use the option -Pn, I get the result saying host is up. What does this mean? I tried reading what the -Pn option does at nmap's website but I didn't understand it. It says that -Pn option disables host discovery. How does that affect my scan?

TheRookierLearner
  • 4,222
  • 8
  • 24
  • 28
  • 2
    May I know why a down vote? – TheRookierLearner Mar 03 '13 at 05:26
  • 2
    I think the reason @JeffFerland closed it as off topic, is because here we dont deal with "how do I use this tool", we prefer to focus on security principles and "what should we do" or "why should this be done". You might have better luck at [su]. – AviD Mar 03 '13 at 10:07
  • Ok. I get it. I'll now explain where this question came from. I was scanning my network using Advanced IP Scanner. This scanner not only gave me the IPs of the machines on my network but also the host names of the machines which were alive. The problem was - It was reporting every IP (192.168.2.0-100) on my network as up and alive. As the network I was scanning was my home network, this should not be happening. I have only a few machines (4 laptops + 5 cell phones) on my network. So, I wanted to know what type of scanning was this IP scanner doing. To verify my results I also used (contd..) – TheRookierLearner Mar 03 '13 at 17:20
  • (contd..) Angry IP scanner. I got the same results. So, it got me wondering what type of scans were these machines using? I tried to do a nmap ping scans (as I thought these softwares just used ICMP echo request) for some of these IPs but I got the results as hosts were down. However, when I add the -Pn option, the results said, the host was up (even if the IP wasn't assigned to any machine by my router). From the answer I got to this question I got that nmap wasn't really checking if the hosts were alive. So, why was I getting all the IPs as alive using the IP scanning tools? (contd..) – TheRookierLearner Mar 03 '13 at 17:27
  • (contd..) Turns out that my router has some security features which report these IPs as alive (don't really know what these features are, trying to understand them.) But apperently, the `ICMP ping block on the WAN port` does so. The firewall also dropped my FIN packets (-sF scan of nmap). I don't really know how to change the firewall rules for unblocking these types of scans. Anyways, I didn't really get what type of scans these scanners were doing (I'll have to read the source of `Angry IP Scanner`) but now I know why the -Pn option gives the host as up (even if the IP isn't assigned) – TheRookierLearner Mar 03 '13 at 17:49

1 Answers1

21

Don't know really how to explain it differently as I think the nmap page explains it ok, but basically...

Some hosts respond to pings if they are online (I.e. ping www.google.com and you get a reply.)

Nmap tries pinging them, if they respond nmap continues scanning and you get your result. If it gets no response it says 'hmm they must be down, well no point wasting time scanning someone who doesn't exist' and exits.

Now some hosts are alive, but configured not to answer to pings. Under normal circumstances this means nmap would simply not scan them thinking they were down. If you specify -Pn it skips this initial stage of checking if the host is up and basically says 'well I've been told to scan no matter what, so even if I think it's down* my stupid human operator is making me do it anyway'. It then tries to scan and actually gets results because in reality the host is alive.

*saying it thinks its down is slightly incorrect - if simply ignores the check in the first place.

Summary - skips checking if the host is alive which may sometimes cause a false positive and stop the scan.

Peleus
  • 3,827
  • 2
  • 18
  • 20
  • I understood in the way you explained it to me. I have a few more questions about the -Pn option. Can we chat? – TheRookierLearner Mar 03 '13 at 05:29
  • 1
    If you have questions ask here so anyone searching for the same answers can benefit. – Peleus Mar 03 '13 at 06:42
  • I researched more about my question and I got the answer :) – TheRookierLearner Mar 03 '13 at 07:26
  • 2
    When most people see "ping," they think of ICMP Echo Request, but Nmap uses many other probes for host discovery, too. The default set of 4 probes (or ARP request on LAN) is overwhelmingly likely to find a host that is up, so you should very rarely ever need to use the `-Pn` option. – bonsaiviking Mar 03 '13 at 13:15