July 14, 2026
Nmap Live Host Discovery
Task 1 Introduction
By Shivam Maurya
19 min read
Task 1 Introduction
Nmap, short for Network Mapper, is free, open-source software released under the GPL license, created by Gordon Lyon (Fyodor), a network security expert and open-source programmer. Nmap is an industry-standard tool for mapping networks, identifying live hosts, and discovering running services. Nmap's scripting engine can further extend its functionality, from fingerprinting services to exploiting vulnerabilities. A Nmap scan usually goes through the steps shown in the figure below, although many are optional and depend on the command-line arguments you provide.
Learning Objectives
When we want to target a network, we want to find an efficient tool to help us handle repetitive tasks and answer the following questions:
- Which systems are up?
- What services are running on these systems?
The first question about finding live computers is answered in this room. This room is the first in a series of four Nmap rooms. The second question about discovering running services is answered in the next Nmap rooms, which focus on port scanning.
- Understand why host discovery is a necessary first step before port scanning, and why scanning offline systems wastes time and generates unnecessary noise.
- Learn how ARP scans work at the link layer, using broadcast requests to identify live hosts within the same subnet.
- Understand how ICMP echo, timestamp, and address mask requests can be used to discover live hosts across different network segments.
- Learn how TCP SYN and ACK ping scans use transport-layer packets to detect online hosts, and understand the difference between privileged and unprivileged scan behaviour.
- Understand how UDP ping scans trigger ICMP port-unreachable responses from closed ports to confirm a host is online
Learning Prerequisites
In the next task, let's dig deeper and understand some important concepts before discovering live hosts.
Answer the questions below
Some of these questions will require a static site to answer the task questions, while others will require the Attack Box.
Correct Answer
Task 2 Subnetworks
Let's review a couple of terms before we move on to the main tasks. A network segment is a group of computers connected using a shared medium. For instance, the medium can be an Ethernet switch or a Wi-Fi access point. In an IP network, a subnetwork is usually equivalent to one or more network segments connected to the same router. The network segment refers to a physical connection, while a subnetwork refers to a logical connection.
In the following network diagram, we have four network segments or subnetworks. Generally speaking, your system would be connected to one of these network segments/subnetworks. A subnetwork, or simply a subnet, has its own IP address range and is connected to a more extensive network via a router. Additionally, a firewall may be present between network segments, enforcing security policies on the traffic that passes between them.
The figure above shows two types of subnets:
- Subnets with
/16, which means that the subnet mask can be written as255.255.0.0. This subnet can accommodate around 65,000 hosts. - Subnets with
/24, which indicates that the subnet mask can be expressed as255.255.255.0. This subnet can have around 250 hosts.
You might want to refer to Task 2 in the Intro to LAN room if you need to learn more about subnetting.
As part of active reconnaissance, we want to discover more information about a group of hosts or about a subnet. If you are on the same subnet, you would expect your scanner to use ARP Address Resolution Protocol (ARP) queries to discover live hosts. An ARP query aims to obtain the hardware address (MAC address) so that communication at the link layer is possible; however, it can also indicate that the host is online. (We revisit link-layer in Task 4.)
If you are in Network A, you can use ARP only to discover the devices within that subnet (10.1.100.0/24). Suppose you are connected to a subnet different from the subnet of the target system(s). In that case, all packets generated by your scanner will be routed via the default gateway (router) to reach systems on another subnet; however, ARP queries won't be routed and therefore cannot cross the subnet router. ARP is a link-layer protocol, and ARP packets are bound to their subnet.
Click on the "View Site" button to start the network simulator. We will use this simulator to answer the questions in tasks 2, 4, and 5.
Send a packet with the following:
- From computer1
- To computer1 (to indicate it is broadcast)
- Packet Type: "ARP Request"
- Data: computer6 (because we are asking for computer6's MAC address using ARP Request)
How many devices can see the ARP Request?
4
Did computer6 receive the ARP Request? (yea/nay)
nay
Send a packet with the following:
- From computer4
- To computer4 (to indicate it is broadcast)
- Packet Type: "ARP Request"
- Data: computer6 (because we are asking for computer6's MAC address using ARP Request)
How many devices can see the ARP Request?
4
Did computer6 reply to the ARP Request? (yea/nay)
yea
Task 3 Understanding Hosts Discovery Through TCP/IP Layer
Let's revisit the TCP/IP layers shown in the following figure. We will leverage the protocols to discover the live hosts. Starting from bottom to top, we can use:
- ARP from Link Layer
- ICMP from the Network Layer
- TCP from the Transport Layer
- UDP from the Transport Layer
Before we discuss how each scanner can be used in detail, we will briefly review these four protocols. ARP has one purpose: sending a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing its MAC (hardware) address.
ICMP has many types(opens in new tab). ICMP ping uses Type 8 (Echo) and Type 0 (Echo Reply).
If you want to ping a system on the same subnet, an ARP query should precede the ICMP Echo.
Although TCP and UDP are transport-layer protocols, for network scanning, a scanner can send a specially crafted packet to common TCP or UDP ports to check whether the target responds. This method is efficient, especially when ICMP Echo is blocked.
If you have closed the network simulator, click on the "View Site" button in Task 2 to display it again.
Answer the questions below
Send a packet with the following: From computer1 To computer3 Packet Type: "Ping Request" What type of packet did computer1 send before the ping?
ARP Request
What type of packet did computer1 receive before it was able to send the ping?
ARP Response
How many computers responded to the ping request?
1
Send a packet with the following: From computer2 To computer5 Packet Type: "Ping Request" What is the name of the first device that responded to the first ARP Request?
Router
What is the name of the first device that responded to the second ARP Request?
Computer5
Send another Ping Request. Did it require new ARP Requests? (yea/nay)
nay
Task 4 Enumerating Targets
We mentioned the different techniques we can use for scanning in Task 1. Before we explain each in detail and test it against a live target, we need to specify the targets we want to scan. Generally speaking, you can provide a list, a range, or a subnet. Examples of target specification are:
- list:
MACHINE_IP scanme.nmap.org example.comwill scan 3 IP addresses. - range:
10.11.12.15-20will scan 6 IP addresses:10.11.12.15,10.11.12.16,… and10.11.12.20. - subnet:
MACHINE_IP/30will scan 4 IP addresses.
You can also provide a file as input for your list of targets, nmap -iL list_of_hosts.txt.
If you want to check the list of hosts that Nmap will scan, you can use nmap -sL TARGETS. This option gives you a detailed list of hosts that Nmap will scan without actually scanning them; however, Nmap will attempt reverse-DNS resolution on all targets to obtain their names. Names might reveal various information to the pentester. (If you don't want Nmap to use the DNS server, you can add -n.)
Connecting to the Network
In this room, you will work with a small network consisting of one Windows host and one Ubuntu host to practice identifying live systems on a network.
When you open the room, you will see a network diagram showing the available hosts. To begin, click the Start button to deploy the network. Allow up to 2 minutes for all machines to initialise properly. Once the network has finished loading, launch the AttackBox by clicking the Start AttackBox button. When the AttackBox opens in split view, open a Terminal and run Nmap to perform host discovery, then answer the questions in this room.
Answer the questions below
What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target?
10.10.12.8
How many IP addresses will Nmap scan if you provide the following range: 10.10.0–255.101–125?
6400
Task 5
How would you know which hosts are up and running? It is essential to avoid wasting our time port-scanning an offline host or an IP address not in use. There are various ways to discover online hosts. When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
- When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is
rootor a user who belongs tosudoersand can runsudo. - When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronise) to port 443, and ICMP timestamp requests.
- When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
Nmap, by default, uses a ping scan to find live hosts, then proceeds to scan live hosts only. If you want to use Nmap to discover online hosts without port-scanning the live systems, you can issue nmap -sn TARGETS. Let's dig deeper to gain a solid understanding of the different techniques used.
ARP scan is possible only if you are on the same subnet as the target systems. On an Ethernet (802.3) and Wi-Fi (802.11), you need to know the MAC address of any system before you can communicate with it. The MAC address is required for the link-layer header; it contains the source and destination MAC addresses, among other fields. To get the MAC address, the OS sends an ARP query. A host that replies to ARP queries is up. The ARP query only works if the target is on the same subnet as you, i.e., on the same Ethernet/Wi-Fi network. You should expect to see many ARP queries generated during a Nmap scan of a local network. If you want Nmap only to perform an ARP scan without port-scanning, you can use nmap -PR -sn TARGETS, where -PR indicates that you only want an ARP scan.
Since we can only scan the system on our subnet, we will use 10.48.88.60 to scan live hosts on the network, without any port scanning. We run nmap -PR -sn 10.200.6.0/24 to discover all the live systems on the same subnet as our lab machine.
Terminal root@ip-10–201–24–228:~# nmap -PR -sn 10.48.88.60/24 Starting Nmap 7.80 ( https://nmap.org ) at 2026–02–04 15:43 GMT mass_dns: warning: Unable to open /etc/resolv.conf. Try using — system-dns or specify valid servers with — dns-servers mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using — system-dns or specify valid servers with — dns-servers Nmap scan report for 10.201.24.228 Host is up. Nmap done: 256 IP addresses (1 host up) scanned in 10.51 seconds
In this case, the AttackBox used ARP requests to discover live hosts on the same subnet. ARP scan works, as shown in the figure below. Nmap sends ARP requests to all target computers, and those that are online should reply with an ARP reply.
If we observe the packets generated by tools such as tcpdump or Wireshark, we will notice traffic similar to what is shown in the figure below. In this example, Wireshark displays the source and destination MAC addresses, the protocol, and the ARP query for each request.
The source MAC address belongs to the AttackBox, while the destination MAC address is the broadcast address. This is expected, as the target host's MAC address is not yet known. However, the target IP address being queried is visible in the Info column. As shown in the figure, ARP requests are sent sequentially to each IP address on the subnet, starting from 10.201.24.1.
When a host with the queried IP address is online, it responds with an ARP reply containing its MAC address. Receiving this reply confirms that the host is active and reachable on the network.
ARP scanning is particularly useful during post‑exploitation and internal network enumeration. Once an attacker gains access to a system within a network, ARP scans can be used to quickly and reliably identify other live hosts on the same local segment. Because ARP operates at Layer 2 and is often not filtered by firewalls, it is an effective tool for red-team operations and internal penetration testing.
Answer the questions below
How many hosts are found alive after scanning the 10.48.88.60/24?
1
The Above Output may can differ based on the network use the following command
nmap -PR -sn <ip_range>
- PR = To perform Arp scan
- -sn = for no port scanning
Task 6 Nmap Host Discovery Using ICMP
We can ping every IP address on a target network and see who would respond to our ping (ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0). Simple, isn't it? Although this would be the most straightforward approach, it is not always reliable. Many firewalls block ICMP echo; new versions of MS Windows are configured with a host firewall that blocks ICMP echo requests by default. Remember that an ARP query precedes an ICMP request if your target is on the same subnet.
To use ICMP echo requests to discover live hosts, add the option -PE option. (Remember to add -sn if you don't want to follow that with a port scan.)
As shown in the following figure, an ICMP echo scan sends an ICMP echo request and expects the target to reply with an ICMP echo reply if it is online.
Practical
Using the AB, we will scan the target's subnet using nmap -PE -sn 10.200.6.0/24. This scan will send ICMP echo packets to every IP address on the subnet. Again, we expect live hosts to reply; however, it is wise to keep in mind that many firewalls block ICMP. The output below shows the result of scanning the lab machine's class C subnet using sudo nmap -PE -sn 10.200.6.0/24 from the AttackBox.
Note: In the upcoming exercise, you are supposed to use the updated .ovpn file in the AB or on your host to identify live hosts on the network.
Terminal
root@ip-10-201-66-6:~# sudo nmap -PE -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 11:51 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.1
Host is up (0.069s latency).
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.38 secondsroot@ip-10-201-66-6:~# sudo nmap -PE -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 11:51 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.1
Host is up (0.069s latency).
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.38 secondsIf you look at the network packets using a tool like Wireshark, you will see something similar to the image below. You can see that we have one source IP address on a different subnet than the destination subnet, sending ICMP echo requests to all IP addresses in the target subnet to see which will reply.
ICMP Timestamp
Because ICMP echo requests tend to be blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses a timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP option tells Nmap to use ICMP timestamp requests. As shown in the figure below, you expect live hosts to reply.
In the following example, we run nmap -PP -sn 10.200.6.0/24 to discover the online computers on the lab machine subnet.
Terminal
root@ip-10-201-66-6:~# nmap -PP -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:10 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.069s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 8.44 secondsroot@ip-10-201-66-6:~# nmap -PP -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:10 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.069s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 8.44 secondsSimilar to the previous ICMP scan, this scan will send many ICMP timestamp requests to every valid IP address in the target subnet. In the Wireshark screenshot below (use tun0 interface in the AB), you can see one source IP address sending ICMP packets to every possible IP address to discover online hosts.
ICMP Type 17
Similarly, Nmap uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18). This scan can be enabled with the option -PM. As shown in the figure below, live hosts are expected to reply to ICMP address mask requests.
In an attempt to discover live hosts using ICMP address mask queries, we run the command nmap -PM -sn 10.200.6.0/24. Although earlier scans showed at least 2 hosts are up, this scan returned none. The reason is that the target system or a firewall on the route is blocking this type of ICMP packet. Therefore, it is essential to learn multiple approaches to achieve the same result. If one packet type is blocked, we can always choose another to discover the target network and services.
Terminal
root@ip-10-201-66-6:~# nmap -PM -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:15 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap done: 256 IP addresses (0 hosts up) scanned in 52.14 secondsroot@ip-10-201-66-6:~# nmap -PM -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:15 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap done: 256 IP addresses (0 hosts up) scanned in 52.14 secondsAlthough we didn't receive any reply and couldn't determine which hosts were online, it is essential to note that this scan sent ICMP address-mask requests to every valid IP address and waited for a reply. Each ICMP request was sent twice, as shown in the screenshot below.
Answer the questions below
What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?
-PP
What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?
-PM
What is the option required to tell Nmap to use ICMP Echo to discover live hosts?
-PE
Task 7 Nmap Host Discovery Using TCP and UDP
TCP SYN Ping
We can send a packet with the SYN (Synchronise) flag set to TCP port 80 (80 by default) and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset). In this case, we only check whether we receive a response to infer whether the host is up. The specific state of the port is not significant here. The figure below is a reminder of how a TCP 3-way handshake usually works.
If you want Nmap to use TCP SYN ping, you can do so via the option -PS followed by the port number, range, list, or a combination of them. For example, -PS21 will target port 21, while -PS21-25 will target ports 21, 22, 23, 24, and 25. Finally, -PS80,443,8080 will target the three ports 80, 443, and 8080.
Privileged users (root and sudoers) can send TCP SYN packets and don't need to complete the TCP 3-way handshake even if the port is open, as shown in the figure below. Unprivileged users have no choice but to complete the 3-way handshake if the port is open.
We will run nmap -PS -sn 10.200.6.0/24 to scan the target VM subnet. As shown in the output below, we discovered two hosts.
Terminal
root@ip-10-201-66-6:~# nmap -PS -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:22 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.068s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 33.88 secondsroot@ip-10-201-66-6:~# nmap -PS -sn 10.200.6.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:22 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.068s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 33.88 secondsLet's take a closer look at what happened behind the scenes by looking at the network traffic on Wireshark in the figure below. Technically speaking, since we didn't specify any TCP ports to use in the TCP ping scan, Nmap used the default TCP port, 80. Any service listening on port 80 is expected to reply, indirectly indicating that the host is online.
TCP ACK Ping
As you have guessed, this sends a packet with an ACK flag set. You must run Nmap as a privileged user to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.
By default, port 80 is used. The syntax is similar to TCP SYN ping. -PA should be followed by a port number, a port number range, a list, or a combination of them. For example, consider -PA21, -PA21-25 and -PA80,443,8080. If no port is specified, port 80 will be used.
The following figure shows that any TCP packet with the ACK flag set should receive a TCP packet with the RST flag set. The target responds with the RST flag set because the TCP packet with the ACK flag is not part of any ongoing connection. The expected response is used to detect if the target host is up.
In this example, we run sudo nmap -PA -sn 10.200.6.0/24 to discover the online hosts on the target's subnet. We can see that the TCP ACK ping scan detected two hosts as up.
Terminal
root@ip-10-201-66-6:~# sudo nmap -PA -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:33 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 36.64 secondsroot@ip-10-201-66-6:~# sudo nmap -PA -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:33 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 36.64 secondsIf we peek at the network traffic shown in the figure below, we will discover many packets with the ACK flag set, sent to port 80 on the target systems. Nmap sends each packet twice. The systems that don't respond are offline or inaccessible.
UDP Ping
Finally, we can use UDP to discover if the host is online. Unlike a TCP SYN ping, sending a UDP packet to an open port is not expected to elicit a reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port-unreachable packet; this indicates that the target system is up and available.
In the following figure, we see a UDP packet sent to an open UDP port that does not trigger a response. However, sending a UDP packet to any closed UDP port can trigger a response indirectly, indicating that the target is online.
The syntax to specify the ports is similar to that of TCP SYN ping and TCP ACK ping; Nmap uses -PU for UDP ping. In the following example, we run a UDP scan and discover two live hosts.
Terminal
root@ip-10-201-66-6:~# sudo nmap -PU -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:38 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 35.97 secondsroot@ip-10-201-66-6:~# sudo nmap -PU -sn 10.200.6.0/24
sudo: unable to resolve host ip-10-201-66-6: Name or service not known
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-05 12:38 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.200.6.50
Host is up (0.070s latency).
Nmap scan report for 10.200.6.250
Host is up (0.069s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 35.97 secondsLet's inspect the UDP packets generated. In the following Wireshark screenshot, we notice Nmap sending UDP packets to UDP ports that are most likely closed. The image below shows that Nmap uses an uncommon UDP port to trigger an ICMP destination unreachable (port unreachable) error.
Masscan
On a side note, Masscan uses a similar approach to discover the available systems. However, to complete its network scan quickly, Masscan is quite aggressive in the rate at which it generates packets. The syntax is quite similar: -p can be followed by a port number, list, or range. Consider the following examples:
masscan 10.200.6.0/24 -p443masscan 10.200.6.0/24 -p80,443masscan 10.200.6.0/24 -p22-25
Masscan is not installed on the AttackBox; however, it can be installed using apt install masscan.
Answer the questions below
Which TCP ping scan does not require a privileged account?
TCP SYN Ping
Which TCP ping scan requires a privileged account?
TCP ACK Ping
What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?
-PS23
Task 8 Using Reverse-DNS Lookup
Reverse DNS (rDNS) is the process of resolving an IP address to a hostname (the opposite of normal DNS). Instead of asking "What is the IP of example.com?", you ask "What domain name is assigned to 10.200.6.15?"
In Nmap, using -R forces reverse lookups for all discovered hosts, while -n disables them. This helps identify system roles (e.g., mail.company.local, dc01.domain.com) and understand network structure during recon. However, rDNS records aren't always configured or accurate, so results may be missing or misleading. It can also slightly slow scans due to additional DNS queries.
By default, Nmap will look up online hosts; however, you can use the option -R to query the DNS server even for offline hosts. If you want to use a specific DNS server, you can add the --dns-servers DNS_SERVER option.
Answer the questions below
We want Nmap to issue a reverse DNS lookup for all the possible hosts on a subnet, hoping to get some insights from the names. What option should we add?
-R
Task 9 Summary
You have learned how ARP, ICMP, TCP, and UDP can detect live hosts by completing this room. Any response from a host indicates that it is online. Below is a quick summary of the Nmap command-line options we covered.
Remember to add -sn if you are only interested in host discovery without port-scanning. Omitting -sn will let Nmap default to scanning live hosts for ports.
Effective live host discovery with Nmap lays the foundation for any successful penetration test. Knowing which hosts are online ensures accurate scoping and efficient follow-up scans. Stay tuned for more hands-on recon and enumeration insights.
Answer the questions below
Ensure you have noted all the Nmap options explained in this room. To continue learning about Nmap, please join the room Nmap Basic Port Scans, which introduces the basic types of port scans.
No Answer Needed