Learning Nmap Security Network Port Scanner: Host Discovery Controls – List Scan (-sL) and Ping Scan (-sP)

This is the second post detailing my notes on Nmap Network Scanning.

List Scan (-sL) <– This simply discovers and lists each host on a network without sending any packets. This is very stealthy. Reverse-DNS requests are made. The following scan enumerates the CIDR /28 network range (16 IP Addresses) surrounding the main server.:

nmap -sL scanme.nmap.org/28

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-16 19:23 BST
Nmap scan report for tsukasa.chibi.ca (74.207.244.208)
Nmap scan report for li86-209.members.linode.com (74.207.244.209)
Nmap scan report for li86-210.members.linode.com (74.207.244.210)
Nmap scan report for li86-211.members.linode.com (74.207.244.211)
Nmap scan report for li86-212.members.linode.com (74.207.244.212)
Nmap scan report for li86-213.members.linode.com (74.207.244.213)
Nmap scan report for li86-214.members.linode.com (74.207.244.214)
Nmap scan report for li86-215.members.linode.com (74.207.244.215)
Nmap scan report for li86-216.members.linode.com (74.207.244.216)
Nmap scan report for li86-217.members.linode.com (74.207.244.217)
Nmap scan report for li86-218.members.linode.com (74.207.244.218)
Nmap scan report for logicmerc.com (74.207.244.219)
Nmap scan report for li86-220.members.linode.com (74.207.244.220)
Nmap scan report for scanme.nmap.org (74.207.244.221)
Nmap scan report for li86-222.members.linode.com (74.207.244.222)
Nmap scan report for li86-223.members.linode.com (74.207.244.223)
Nmap done: 16 IP addresses (0 hosts up) scanned in 0.51 seconds

Ping Scan (-sP) <– This commands Nmap to only perform a ping scan and nothing more. Light reconnaissance and quite stealthy. The object of this scan is to discover which hosts are “up” and responding.

nmap -sP -T4 scanme.nmap.org/24

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-16 19:30 BST
Nmap scan report for gw-li86.linode.com (74.207.244.1)
Host is up (0.17s latency).
Nmap scan report for 74.207.244.2
Host is up (0.17s latency).
Nmap scan report for 74.207.244.3
Host is up (0.17s latency).
Nmap scan report for li86-5.members.linode.com (74.207.244.5)
Host is up (0.18s latency).
Nmap scan report for li86-6.members.linode.com (74.207.244.6)
Host is up (0.18s latency).
Nmap scan report for sushi.lolz.be (74.207.244.7)
Host is up (0.17s latency).
Nmap scan report for www.vin2vin.com (74.207.244.10)
Host is up (0.18s latency).

[.....]

Nmap done: 256 IP addresses (186 hosts up) scanned in 15.04 seconds

Just over 15 seconds to find 186 hosts up in a Class C sized address range.

The “-T4″ switch adjusts timing to the aggressive level 4 of 5, recommended if connection is faster than dialup.

Ping can be disabled (-PN), however, by default heavy probing is directed at hosts that are “up” and so disabling ping forces heavy probing of all hosts regardless, which can be too much if Class B sized (/16) address space requested.