- Nmap 6:Network exploration and security auditing Cookbook
- Paulino Calderon Pale
- 445字
- 2021-08-05 18:31:05
Discovering hosts with TCP ACK ping scans
Similar to the TCP SYN ping scan, the TCP ACK ping scan is used to determine if a host is responding. It can be used to detect hosts that block SYN packets or ICMP echo requests, but it will most likely be blocked by modern firewalls that track connection states.
The following recipe shows how to perform a TCP ACK ping scan and its related options.
How to do it...
Open a terminal and enter the following command:
# nmap -sP -PA <target>
How it works...
A TCP ACK ping scan works in the following way:
- Nmap sends an empty TCP packet with the ACK flag set to port 80
- If the host is offline, it should not respond to this request
- If the host is online, it returns an RST packet, since the connection does not exist
There's more...
It is important to understand that there will be cases when this technique will not work. Let's launch a TCP ACK ping scan against one of these hosts.
# nmap -sP -PA 0xdeadbeefcafe.com Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds
The host is shown as offline, but let's try a TCP SYN ping scan with the same host.
# nmap -sP -PS 0xdeadbeefcafe.com Nmap scan report for 0xdeadbeefcafe.com (50.116.1.121) Host is up (0.090s latency). Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
We discovered that the host was online, but blocking thos ACK packets.
TCP ACK ping scans need to run as a privileged user, otherwise a system call connect() is used to send an empty TCP SYN packet. Hence, TCP ACK ping scans will not use the TCP ACK technique, previously discussed, as an unprivileged user, and it will perform a TCP SYN ping scan instead.
See also
- The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
- The Discovering hosts with TCP SYN ping scans recipe
- The Discovering hosts with UDP ping scans recipe
- The Discovering hosts with ICMP ping scans recipe
- The Discovering hosts with IP protocol ping scans recipe
- The Discovering hosts with ARP ping scans recipe
- The Discovering hosts using broadcast pings recipe
- The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information