Nmap Host Discovery and Scanning: A Comprehensive Guide for GIAC GCIH
Introduction
Nmap (Network Mapper) is one of the most widely used network scanning tools in cybersecurity. For the GIAC GCIH (GIAC Certified Incident Handler) certification, understanding Nmap's host discovery and scanning capabilities is essential. This guide covers everything you need to know about Nmap host discovery and scanning, including how it works, why it matters, and how to approach exam questions confidently.
Why Is Nmap Host Discovery and Scanning Important?
Host discovery and scanning represent the foundational phases of network reconnaissance. Attackers use these techniques to:
- Identify live hosts on a target network before launching further attacks
- Map the attack surface by discovering open ports, running services, and operating systems
- Prioritize targets based on discovered services and vulnerabilities
- Evade detection by selecting scan techniques that minimize their footprint
For incident handlers, understanding these techniques is critical because:
- You must recognize scanning activity in logs, IDS alerts, and packet captures
- You need to differentiate between scan types to assess attacker intent and sophistication
- You should be able to recommend countermeasures and detection strategies
- Understanding offensive techniques helps you conduct authorized assessments and validate defenses
What Is Nmap Host Discovery?
Host discovery (also called ping scanning) is the process of determining which IP addresses on a target network are active (online and responsive). Before scanning ports, Nmap first needs to know which hosts are alive. This saves time and resources by avoiding port scans against non-existent or offline hosts.
Default Host Discovery Behavior
By default, when scanning external (non-local) networks, Nmap sends the following probes to determine if a host is alive:
1. ICMP Echo Request (ping)
2. TCP SYN to port 443
3. TCP ACK to port 80
4. ICMP Timestamp Request
If any of these probes receives a response, Nmap considers the host alive and proceeds with further scanning. For local network (same subnet) scans, Nmap uses ARP requests instead, as they are more reliable and faster on local segments.
Key Host Discovery Options
Understanding Nmap's host discovery flags is crucial for the exam:
- -sn (formerly -sP): Ping scan only — performs host discovery without port scanning. This is used when you only want to know which hosts are alive.
- -Pn (formerly -P0 or -PN): Skip host discovery — treats all specified hosts as alive and proceeds directly to port scanning. Useful when ICMP and other discovery probes are blocked by firewalls.
- -PS [portlist]: TCP SYN ping — sends a SYN packet to specified ports (default port 80). If a SYN/ACK or RST is received, the host is considered alive.
- -PA [portlist]: TCP ACK ping — sends an ACK packet to specified ports. A RST response indicates the host is alive. Useful for bypassing stateless firewalls that block SYN packets.
- -PU [portlist]: UDP ping — sends UDP packets to specified ports. An ICMP port unreachable response indicates the host is alive.
- -PE: ICMP Echo ping — sends standard ICMP echo request (traditional ping).
- -PP: ICMP Timestamp ping — sends ICMP timestamp requests.
- -PM: ICMP Address Mask ping — sends ICMP address mask requests.
- -PR: ARP ping — uses ARP requests for host discovery on local networks. This is the default for local subnet scans and is extremely reliable because hosts cannot easily ignore ARP requests without breaking network connectivity.
What Is Nmap Port Scanning?
Once live hosts are identified, Nmap proceeds to port scanning to determine which ports are open, closed, or filtered. Port scanning reveals the services running on target hosts, which is essential for identifying potential attack vectors.
Nmap Port States
Nmap classifies ports into six states:
1. Open: An application is actively accepting connections on this port.
2. Closed: The port is accessible (responds to probes) but no application is listening.
3. Filtered: Nmap cannot determine if the port is open because packet filtering (firewall) prevents probes from reaching the port. No response or ICMP unreachable is received.
4. Unfiltered: The port is accessible but Nmap cannot determine if it is open or closed. Only seen with ACK scans.
5. Open|Filtered: Nmap cannot determine whether the port is open or filtered. Occurs when open ports give no response (common with UDP, IP protocol, FIN, NULL, and Xmas scans).
6. Closed|Filtered: Nmap cannot determine whether the port is closed or filtered. Only seen with the IP ID idle scan.
Major Scan Types
1. TCP SYN Scan (-sS) — "Half-Open" or "Stealth" Scan
This is Nmap's default scan type (when run with root/administrator privileges). It sends a SYN packet and analyzes the response:
- SYN/ACK response = Port is open (Nmap sends RST to tear down the connection before it completes)
- RST response = Port is closed
- No response or ICMP unreachable = Port is filtered
It is called "half-open" because the TCP three-way handshake is never completed. This makes it faster and slightly stealthier than a full connect scan, though modern IDS/IPS systems easily detect it.
2. TCP Connect Scan (-sT)
This scan uses the operating system's connect() system call to complete a full TCP three-way handshake. It is the default when the user lacks raw packet privileges (non-root). It is more detectable than SYN scans because the full connection is logged by the target system.
3. UDP Scan (-sU)
Sends UDP packets to target ports:
- UDP response = Port is open
- ICMP Port Unreachable (Type 3, Code 3) = Port is closed
- Other ICMP unreachable errors = Port is filtered
- No response = Port is open|filtered
UDP scanning is inherently slower than TCP scanning because open UDP ports often do not respond, and rate limiting on ICMP responses further slows the process.
4. TCP FIN Scan (-sF)
Sends a TCP packet with the FIN flag set:
- No response = Port is open|filtered
- RST response = Port is closed
This exploits RFC 793 behavior: closed ports should respond to unexpected packets with RST, while open ports should silently drop them. Does not work reliably against Windows systems (which send RST regardless).
5. TCP NULL Scan (-sN)
Sends a TCP packet with no flags set:
- No response = Port is open|filtered
- RST response = Port is closed
Same RFC 793 logic as FIN scan.
6. TCP Xmas Scan (-sX)
Sends a TCP packet with FIN, PSH, and URG flags set (like a Christmas tree with all lights on):
- No response = Port is open|filtered
- RST response = Port is closed
Same RFC 793 logic. The name comes from the packet being "lit up like a Christmas tree" with multiple flags.
7. TCP ACK Scan (-sA)
Sends a TCP packet with only the ACK flag set. This scan does not determine whether ports are open or closed. Instead, it is used to map firewall rulesets and determine whether ports are filtered or unfiltered:
- RST response = Port is unfiltered (firewall is not blocking)
- No response or ICMP unreachable = Port is filtered
8. TCP Window Scan (-sW)
Similar to ACK scan but examines the TCP window size field in the RST response. Some systems use different window sizes for open vs. closed ports, allowing differentiation.
9. Idle/Zombie Scan (-sI)
An advanced and highly stealthy scan that uses a third-party "zombie" host to scan the target. The attacker never sends packets directly to the target from their own IP address. It exploits predictable IP ID (IPID) sequence numbers on the zombie host. This is the stealthiest scan type available in Nmap.
How Nmap Scanning Works: The Technical Flow
1. Target Specification: The user specifies targets (IPs, ranges, CIDR notation, hostnames).
2. Host Discovery Phase: Nmap sends discovery probes to identify live hosts (unless -Pn is used).
3. Reverse DNS Resolution: Nmap resolves IP addresses to hostnames (unless -n is used to skip this).
4. Port Scanning Phase: Nmap sends probes to target ports on discovered live hosts.
5. Service/Version Detection (-sV): Nmap probes open ports to determine the service and version running.
6. OS Detection (-O): Nmap analyzes responses to determine the target's operating system.
7. Script Scanning (-sC or --script): Nmap runs NSE (Nmap Scripting Engine) scripts for additional enumeration.
8. Output: Results are displayed or saved in various formats (-oN, -oX, -oG, -oA).
Timing and Performance
Nmap provides timing templates that control scan speed and aggressiveness:
- -T0 (Paranoid): Extremely slow, designed to evade IDS. Waits 5 minutes between probes.
- -T1 (Sneaky): Very slow, 15-second delays between probes.
- -T2 (Polite): Slowed down to use less bandwidth and target resources.
- -T3 (Normal): Default timing template.
- -T4 (Aggressive): Speeds up scanning; assumes a fast and reliable network.
- -T5 (Insane): Maximum speed; may sacrifice accuracy for speed.
Important Additional Options
- -p [ports]: Specify which ports to scan (e.g., -p 22,80,443 or -p 1-1024 or -p- for all 65535 ports).
- -F: Fast scan — scans fewer ports (top 100 instead of default top 1000).
- -sV: Version detection — probes open ports to determine service/version info.
- -O: OS detection — attempts to identify the target operating system.
- -A: Aggressive scan — enables OS detection, version detection, script scanning, and traceroute.
- -sC: Runs default NSE scripts (equivalent to --script=default).
- -D [decoys]: Uses decoy IP addresses to obscure the true source of the scan.
- -S [IP]: Spoofs the source IP address.
- -f: Fragment packets to evade packet inspection.
- -n: Skip DNS resolution (speeds up scanning).
- -v / -vv: Increase verbosity.
- --reason: Displays the reason Nmap classified each port in its state.
- --open: Show only open ports in output.
Nmap Output Formats
- -oN [file]: Normal output (human-readable text).
- -oX [file]: XML output (useful for parsing and importing into other tools).
- -oG [file]: Grepable output (legacy format, easy to grep).
- -oA [basename]: Output in all three formats simultaneously.
Detection and Defense Considerations
As an incident handler, you should know how to detect Nmap scans:
- SYN scans generate many half-open connections — look for high volumes of SYN packets without completed handshakes.
- NULL, FIN, and Xmas scans generate unusual TCP flag combinations that are easily flagged by IDS/IPS.
- UDP scans generate ICMP port unreachable messages in high volumes.
- Ping sweeps appear as sequential ICMP or TCP probes across a range of IPs.
- Slow scans (T0, T1) are harder to detect due to long intervals between probes — look for patterns over extended time periods.
Defensive measures include:
- Configuring firewalls to drop unsolicited probes and limit ICMP responses
- Using IDS/IPS rules tuned for scan detection (e.g., Snort, Suricata)
- Implementing network segmentation to limit scan reach
- Monitoring for anomalous connection patterns and failed connections
- Using SYN cookies to handle SYN flood scenarios
Exam Tips: Answering Questions on Nmap Host Discovery and Scanning
1. Know the default behaviors: Nmap's default scan type with root privileges is TCP SYN (-sS). Without root, it defaults to TCP Connect (-sT). Default host discovery uses ICMP echo, TCP SYN to 443, TCP ACK to 80, and ICMP timestamp. On local networks, ARP is used by default.
2. Memorize flag combinations for stealth scans:
- NULL scan = no flags
- FIN scan = FIN flag only
- Xmas scan = FIN + PSH + URG
Remember the mnemonic: Xmas tree is "lit up" with multiple flags.
3. Understand response interpretation: Be able to map responses to port states. For SYN scans: SYN/ACK = open, RST = closed, no response = filtered. For NULL/FIN/Xmas: no response = open|filtered, RST = closed. This is a very common exam topic.
4. Know the difference between -sn and -Pn: These are commonly confused. -sn means "scan but no port scan" (host discovery only). -Pn means "skip ping/discovery and assume all hosts are up" (proceed directly to port scanning).
5. Understand the ACK scan's purpose: The ACK scan (-sA) does NOT determine open vs. closed ports. It maps firewall rules by determining filtered vs. unfiltered ports. This is a common distractor in exam questions.
6. Remember UDP scanning quirks: UDP scanning is slow because open ports often don't respond, resulting in open|filtered states. ICMP port unreachable = closed. Many exam questions test whether you know why UDP scans are slow and unreliable.
7. Know your timing templates: T0 and T1 are used for IDS evasion. T3 is the default. T4 and T5 are aggressive. Questions may ask which timing option an attacker would use to avoid detection.
8. Understand the idle scan concept: Know that -sI uses a zombie host, relies on predictable IPID sequences, and the attacker's real IP is never sent to the target. This is the stealthiest scan type.
9. Pay attention to command-line syntax in questions: Exam questions may present an Nmap command and ask you to interpret what it does. Break down each flag systematically. For example: nmap -sS -sV -O -p 1-1024 -T4 192.168.1.0/24 performs a SYN scan with version detection, OS detection, on ports 1-1024, with aggressive timing, against an entire /24 subnet.
10. Know evasion techniques: Fragmentation (-f), decoys (-D), source IP spoofing (-S), and slow timing (-T0/-T1) are all Nmap evasion capabilities. Understand when and why each would be used.
11. Differentiate between reconnaissance phases: Host discovery (finding live hosts) comes before port scanning (finding open ports), which comes before service enumeration (identifying what's running on open ports). Questions may test your understanding of this logical progression.
12. Remember Windows vs. Unix behavior: NULL, FIN, and Xmas scans rely on RFC 793-compliant TCP implementations. Windows systems send RST for all probes regardless of port state, making these scans unreliable against Windows targets. This is a frequently tested fact.
13. Review output format flags: Know that -oX produces XML, -oN produces normal text, -oG produces grepable output, and -oA produces all formats. Questions may ask which format is best for importing into other tools (answer: XML).
14. Practice reading scan results: Be comfortable interpreting Nmap output showing port numbers, states, and service names. Understand what each column means and how to draw conclusions about the target from the results.
Summary
Nmap host discovery and scanning are foundational skills for the GCIH certification. Focus on understanding the mechanics of each scan type, how responses map to port states, the difference between discovery options, and how to interpret Nmap commands and output. Remember that the exam tests both offensive understanding (how attackers use these techniques) and defensive awareness (how to detect and respond to scanning activity). Master the key flags, default behaviors, and response interpretations outlined in this guide, and you will be well-prepared to tackle any Nmap-related questions on the exam.
