different results using nmap with/without sudo

Question

What is the reason that after running:

$ nmap -sP 192.168.1.0/24 

I got 3 results, but running:

$ sudo nmap -sP 192.168.1.0/24

shows 7 results.

What is the role of using sudo here?

Answer 1

Nmap adapts its techniques to use the best available methods using the current privilege level, unless you explicitly request something different. The things that Nmap needs root (or sudo) privilege for on Linux are:

• Sniffing network traffic with libpcap
• Sending raw network traffic

You can use the -d option to see what Nmap is doing in the background, but the short answer is that with root privilege on an Ethernet LAN (like you are using, based on the IP addresses you listed), Nmap will send raw ARP packets and sniff for results. Responding to ARP requests is a prerequisite to IP communication on such a network, so it's nearly impossible to block or hide from this type of scan. If you do not have root privilege, Nmap falls back to trying to connect to 2 TCP ports (80 and 443), considering the host "up" if the connection succeeds or is reset. A system with a drop-all firewall and no services on 80 or 443 will not show up with this scan. You can read more about Nmap's host discovery techniques in the host discovery section of the man page.

Answer 2

As answered above, you need escalated privileges to open raw sockets. Of note, ping scanning sends ACK packets to port 80 and SYN packets to port 443. But what if the host being contacted doesn't have services on those ports you ask? NMAP also sends a timestamp request. Results can vary based on what you are trying to accomplish. For example, a ping sweep is usually used to identify hosts that are UP and on the network you scan however, not all hosts respond to ICMP requests (if they're using a firewall, IPS, etc) You can use arp in lieu of nmap to determine what hosts are on a network by typing arp -a but to answer (or repeat in this case the answer) you need raw sockets for most scans in nmap