Nmap network reconnaissance using various ICMP requests

Nmap is the most well known network scanner tool, and is used by System administrators, network engineers and security specialists; it can identify hosts, their operating system and running services on a network by sending packets and analyzing the responses.

How to install Nmap

Nmap is available for Linux, Windows and MacOS and can be installed using operating system package managers or installers available.

How to run Nmap

Nmap is a console application and needs to be run from a terminal or a command prompt if you are on windows, also some features of Nmap will work only using root/Administrator rights or sudo.

Syntaxnmap options <target>

<target> can be either a single ip address, a subnet, a range or a hostname

• ip address: in IPv4 or IPv6 format
• subnet example: 192.168.1.0/24
• range example: 192.168.1.0–16
• hostname: myserver

Identify Hosts

Various techniques can be used to identify hosts on a network, in this article we will discuss how we can perform network reconnaissance using various ICMP request options.

ICMP Ping

Nmap supports three forms of ICMP Ping, “Echo Request”, “Timestamp Request” And “Address Mask Request”; To use only ICMP ping and do not perform a port scan as well we must use the -sP or -sn options.

For machines in a local network arp scan will be performed first unless disabled with the --disable-arp-ping option.

ICMP Type 8: Echo Request

Nmap sends an ICMP Type 8 (Echo Request) packet to the target using the -PE option, expecting a Type 0 (Echo Reply) response; this is the most common form of ICMP ping, like the one in standard ping tool of many operating systems.

Syntaxnmap --disable-arp-ping -sn -PE <target>

ICMP Type 13: Timestamp Request

Nmap sends an ICMP Type 13 (Timestamp Request) packet to the target using the -PP option, expecting a Type 14 (Timestamp Reply) response; this is not a common ICMP request, it was used between routers to sync their datetime but has been deprecated in favor of NTP.

Syntaxnmap --disable-arp-ping -sn -PP <target>

ICMP Type 17: Address Mask Request

Nmap sends an ICMP Type 17 (Address Mask Request) packet to the target using the -PM option, expecting a Type 18 (Address Mask Reply) response; the reply contains a list of its related subnets, Generally, modern operating systems will ignore ICMP type 17 messages, however, routers will commonly respond to this request.

Syntaxnmap --disable-arp-ping -sn -PM <target>

Example: A common Ping sweep

The following example without passing any ping specific parameters equals with the use of PE and PM options and disabling port and ARP scanning; a reason not to use port scanning in an initial network reconnaissance is not to trigger the IDS system by port scanning a large number of ip addresses, there is no actual disadvantage in the use of ARP scanning, i just not using it in my examples because i want to focus in ICMP scanning and APR scanning is prioritized in LAN addresses,nmap --disable-arp-ping -sn 192.168.1.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-12 22:54 EEST
Nmap scan report for h288a (192.168.1.1)
Host is up (0.0066s latency).
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.15s latency).
Nmap scan report for 192.168.1.9 (192.168.1.9)
Host is up (0.013s latency).
Nmap scan report for 192.168.1.12 (192.168.1.12)
Host is up (0.10s latency).
Nmap scan report for 192.168.1.30 (192.168.1.30)
Host is up (0.0071s latency).
Nmap scan report for prometheus (192.168.1.83)
Host is up (0.00084s latency).
Nmap scan report for 192.168.1.91 (192.168.1.91)
Host is up (0.049s latency).
Nmap scan report for 192.168.1.127 (192.168.1.127)
Host is up (0.15s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 69.26 seconds

I hope you found this article intuitive :)