Nmap Live Host Discovery TryHackMe

Overview

Before port scanning, Nmap needs to answer a simpler question: which systems are actually online? This room focuses on Nmap’s host discovery stage and the different protocols it can use to detect live targets without wasting time scanning dead hosts.

Core idea: host discovery reduces noise and saves time by proving a target is up before you move on to service enumeration.

1) Target Specification

Nmap accepts multiple target formats, so you can scan exactly what you intend.

List: MACHINE_IP scanme.nmap.org example.com
Range: 10.11.12.15-20
Subnet: MACHINE_IP/30
Input file: nmap -iL list_of_hosts.txt

Preview mode: use nmap -sL TARGETS to list what Nmap would scan without actually scanning. Add -n if you do not want reverse DNS lookups.

2) Protocols Used for Discovery

Nmap can use several protocols to discover live hosts, depending on where you are positioned and what is being filtered.

ARP: link-layer host discovery on the same subnet.
ICMP: echo, timestamp, or address-mask requests.
TCP: SYN or ACK probes to chosen ports.
UDP: probes that rely on ICMP port unreachable responses from closed ports.

Rule of thumb: any response is useful. You often do not care what the port state is yet, only that the host answered somehow.

3) ARP Discovery

ARP host discovery works only on the local subnet because ARP is a link-layer protocol and does not cross routers.

sudo nmap -PR -sn MACHINE_IP/24

Best option when you are on the same LAN/Wi-Fi segment.
Fast and reliable for local discovery.
Can reveal MAC addresses as well as live IPs.

Related tool: arp-scan -l performs a similar job using ARP requests and is very useful on local networks.

4) ICMP Discovery

ICMP is the classic way to probe for live systems, but firewalls often block some or all of these request types.

ICMP Echo

sudo nmap -PE -sn MACHINE_IP/24

ICMP Timestamp

sudo nmap -PP -sn MACHINE_IP/24

ICMP Address Mask

sudo nmap -PM -sn MACHINE_IP/24

Important: if one ICMP method fails, that does not prove the host is down. It may only mean that this ICMP type is filtered somewhere along the path.

5) TCP SYN Ping

TCP SYN ping sends SYN probes to selected ports and watches for any TCP response. Open ports may return SYN/ACK; closed ones may return RST. Either response proves the host is up.

sudo nmap -PS22,80,443 -sn MACHINE_IP/30

Useful when ICMP is filtered.
Privileged users can send raw SYN probes without completing the 3-way handshake.
If no ports are specified, Nmap often defaults to common ports like 80.

6) TCP ACK Ping

ACK ping sends TCP packets with the ACK flag set. Because the packet does not belong to an existing session, a reachable host often answers with RST, proving it is online.

sudo nmap -PA22,80,443 -sn MACHINE_IP/30

Why use it: some filtering devices react differently to ACK probes than to SYN or ICMP, so ACK ping gives you another path to host discovery.

7) UDP Ping

UDP ping does not rely on a normal application reply. Instead, it often works by hitting a closed UDP port and waiting for an ICMP port unreachable response, which proves the host is alive.

sudo nmap -PU53,161,162 -sn MACHINE_IP/30

Key point: an open UDP port may stay silent, so closed-port ICMP errors are often more helpful than successful application responses here.

8) Default Nmap Behavior

When no special host discovery flags are supplied, Nmap chooses different techniques depending on privilege level and whether the target is local or remote.

Local subnet + privileged: ARP is preferred.
Remote target + privileged: ICMP echo, TCP ACK to 80, TCP SYN to 443, and ICMP timestamp may be used.
Remote target + unprivileged: Nmap falls back to connect-style behavior using TCP handshakes.

Host discovery only: add -sn if you want to stop after live-host detection and avoid any port scanning.

9) Reverse DNS and Noise Control

By default, Nmap performs reverse DNS lookups on online hosts. This can reveal useful hostnames, but it also creates extra DNS traffic.

nmap -n TARGETS
nmap -R TARGETS
nmap --dns-servers DNS_SERVER TARGETS

-n: no DNS lookups
-R: reverse DNS for all hosts, even offline ones
--dns-servers: choose the DNS server explicitly

10) Related Scanners

The room also mentions tools that overlap with Nmap’s discovery stage:

arp-scan: ARP-based local network discovery.
masscan: very fast and aggressive large-scale probing.

Caution: Masscan is extremely noisy compared with standard Nmap usage, so it is powerful but easy to misuse.

Nmap Host Discovery Cheat Sheet

sudo nmap -PR -sn MACHINE_IP/24
sudo nmap -PE -sn MACHINE_IP/24
sudo nmap -PP -sn MACHINE_IP/24
sudo nmap -PM -sn MACHINE_IP/24
sudo nmap -PS22,80,443 -sn MACHINE_IP/30
sudo nmap -PA22,80,443 -sn MACHINE_IP/30
sudo nmap -PU53,161,162 -sn MACHINE_IP/30

Exam Notes (PT1)

Use -sn when you only want live host discovery and not a follow-up port scan.
ARP discovery is best on the same subnet and will not cross routers.
If ICMP is blocked, try TCP SYN, TCP ACK, or UDP-based discovery instead.
Responses from closed ports can still be useful because they prove the host is alive.
Control DNS noise with -n when you do not want reverse lookups.