Shannon Morse discusses several discovery options you can use while working within NMap on today’s HakTip.

Download HD  |   Download MP4


Today we’re going to go over more Discovery Options.

Since there are so many Discovery options that we can cover, I decided to split these into two episodes- last week’s and this week’s. So last week we covered about 10 options you can add to your command to make sure you receive information from a specific target, even if ICMP is blocked. This week we’ll cover the basics on the rest of them.

First off we have -PO which stands for an IP protocol ping. This will send packets with a specific protocol to the target machine. Your syntax would look like this: nmap -PO If you want to add a certain protocol to your command, you would add -PO1,2,4, etc. The defaults, if you don’t specify anything, are Protocol 1, ICMP, Protocol 2, IGMP, and Protocol 4, IP-in-IP. Luckily there is a handy list of protocols online for you to use.

Next we have an ARP Ping, which can be used by adding -PR, so it would look like this: nmap -PR This is implied whenever you scan a local network. It’s very fast and very accurate because LAN hosts can not block ARP requests. You can’t use this if your target isn’t on your local subnet, keep that in mind.

Another one we have touched on is Traceroute. This will trace the network path to a specific host. It’s kind of cool when you run it because you end up with a map of locations that your target goes through. To do this, type nmap –traceroute You’ll notice a list of hops, and addresses for each one. It’s kind of cool to check out how your target is able to get from one point to another.

Next we are going to try out a forced Reverse DNS Resolution with the -R option. You would type, in this example, nmap -R This output will look similar to the default output, and is useful when you’re trying to resolve the reverse DNS info on every IP address for a subnet on a block of IP addresses. A reverse DNS can still reveal info through NMap even if the target is offline or blocking NMap’s regular probes.

On the other hand, if you want to disable reverse DNS lookups, you can do so with the -n option. If you find using reverse DNS is slow, this will speed it up.

There is also an alternative DNS lookup method you can use as well. This one looks like: nmap –system-dns This will use the hosts system’s DNS resolver instead of NMaps own method. It’s much slower than the other revers DNS lookup method, but can be useful for troubleshooting.

If you want to manually specify DNS servers, do the following: nmap –dns-servers, This bypasses the default DNS servers that are configured in your local system.

Last but not least, is creating a host list. This will identify the IP addresses and DNS names of targets without sending any packets to them. To do so, type nmap -sL Each target will list out it’s name and IP address in a simple list without all the extra information NMap usually passes.

What would you like to see next about NMAP? Send me a comment below or email us at And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

Leave a Reply

Your email address will not be published. Required fields are marked *