Nmap for Pentester: Host Discovery Guide
- 12 hours ago
- 5 min read
"Knock, knock. Who's there? A TCP SYN packet."

Â
Introduction
Â
Host discovery is the first step in network penetration testing: you need to know which hosts are alive before port scanning or exploitation. Nmap offers several discovery techniques so you can adapt when the target blocks standard ICMP ping or uses a firewall.
Â
This guide explains what each command does and why you need it during a pentest, with commands you can run in a lab and terminal screenshots from real scans. After you have a live host list, continue with our FTP/SSH enumeration and PenTesting cheatsheet for the next phases.
Â
What is Nmap?
Â
From the Official Nmap documentation:
Â
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Â
Â
Default host discovery behavior
Â
Before you override anything, know what Nmap already does. By default (especially when running as a privileged user), Nmap combines multiple discovery probes, typically including ICMP echo, TCP SYN (often toward port 443), TCP ACK (often toward port 80), and ICMP timestamp requests, depending on platform and privileges. If one method is filtered, another may still mark the host as up. Unprivileged scans use a slightly different mix (e.g. connect()-style probes to common ports).
Â
Note: Several techniques in this guide (especially -Pn) increase probe volume and can trigger IDS/IPS or firewall alerts. Use only within defined scope and with client approval where required.
Â
Ping sweep (no port scan)
Â
What it does: -sn tells Nmap to discover hosts only, no port scan. (Older Nmap versions used -sP; prefer -sn on current releases.) On a local subnet Nmap typically uses ARP for discovery; hosts that reply are marked up. Nmap does not probe TCP/UDP ports in this mode, so the scan is fast and avoids port-based IDS rules.
Â
Why you need it on a pentest: Identify live IPs before spending time on -sV or script scans. In internal tests, ARP-based -sn is very fast on the LAN.
Â
nmap -sn 10.11.12.0/24Â
Â
To see what Nmap sends without Wireshark:
Â
nmap -sn 10.11.12.0/24 --packet-traceÂ
Â
Traceroute
Â
What it does: --traceroute discovers the hop list to the target using TTL: probes with increasing TTL record routers that respond with Time Exceeded.
Â
Why you need it on a pentest: Traceroute reveals the network path (hop list), not full topology. It helps document segmentation, border devices, and where probes drop. Combine with -sn for discovery and path mapping in one run.
Â
nmap -sn --traceroute 10.11.12.1Â
Â
Disable ARP ping and send-eth
Â
What it does: On the same LAN, Nmap uses ARP by default. These options differ:
Â
--disable-arp-ping turns off ARP so Nmap falls back to IP-layer probes (ICMP, TCP, etc.).
--send-eth forces raw Ethernet frames for host discovery (often useful on Windows with Npcap).
Â
The host is considered up only if it responds to the probes Nmap actually sends.
Â
Why you need it on a pentest: Disabling ARP makes discovery behave more like a cross-subnet scan and helps test firewall/IDS rules. ICMP/TCP/UDP examples below use --disable-arp-ping to show IP-based discovery; on a pure LAN sweep, omit it and let -sn use ARP.
Â
nmap -sn 10.11.12.10 --disable-arp-pingÂ
Â
nmap -sn 10.11.12.10 --packet-trace --send-ethÂ
Â
TCP SYN ping scan (-PS)
Â
What it does: Nmap sends TCP SYN to one or more ports (default includes 80). Closed ports typically reply RST; open ports SYN/ACK. Either response marks the host up. No full handshake is completed.
Â
Why you need it on a pentest: Many networks block ICMP but allow TCP to web ports. -PS is a first fallback when default -sn finds nothing. Use -PS80,443 (or other in-scope ports) for filtered environments.
Â
nmap -sn -PS 10.11.12.10 --disable-arp-ping
nmap -sn -PS22,3389 10.11.12.10 --disable-arp-pingÂ
Â
TCP ACK ping scan (-PA)
Â
What it does: Nmap sends TCP ACK with no prior SYN. The target should respond RST, which is enough to mark the host up.
Â
Why you need it on a pentest: Some ACLs block inbound SYN but still return RST to ACK probes. Use -PA when -PS fails but the host may still be live.
Â
nmap -sn -PA 10.11.12.10 --disable-arp-pingÂ
Â
ICMP echo ping scan (-PE)
Â
What it does: ICMP Echo Request (Type 8); the host replies with Echo Reply (Type 0) when permitted.
Â
Why you need it on a pentest: Simple discovery when ICMP is allowed. Document whether ICMP is blocked in the client report; switch to -PS, -PA, or -PU when echo is filtered.
Â
nmap -sn -PE 10.11.12.10 --disable-arp-ping
nmap -sn -PE 10.11.12.1-10Â
Â
Â
ICMP address mask and timestamp (-PM, -PP)
Â
What it does: -PM sends ICMP Address Mask Request (Type 17); -PP sends ICMP Timestamp Request (Type 13). A reply indicates the host is up.
Â
Why you need it on a pentest: Some networks block Echo but leave other ICMP types open. Try -PM or -PP when -PE fails to document partial ICMP filtering.
Â
nmap -sn -PM 10.11.12.10 --disable-arp-ping
nmap -sn -PP 10.11.12.10 --disable-arp-pingÂ
UDP ping scan (-PU)
Â
What it does: Nmap sends UDP to a port (default 40125, or specify one). ICMP Port Unreachable or an application reply can mark the host up. No UDP response does not prove the host is down; many stacks silently drop unsolicited UDP.
Â
Why you need it on a pentest: Use when TCP and ICMP fail. Target known UDP services (e.g. -PU53 for DNS) to increase response chance.
Â
nmap -sn -PU 10.11.12.10 --disable-arp-pingÂ
Â
IP protocol ping (-PO)
Â
What it does: Nmap sends raw IP packets with specific protocol numbers. ICMP Protocol Unreachable or similar responses can mark the host up.
Â
Why you need it on a pentest: Last-resort discovery when common probes are filtered but the IP stack still responds at the protocol layer.
Â
nmap -sn -PO 10.11.12.10 --disable-arp-pingÂ
No ping (-Pn)
Â
What it does: Skips host discovery; every specified IP is treated as up and port scanning runs immediately.
Â
Why you need it on a pentest: Use on a tight IP list when all discovery methods fail. Expect slower scans, more traffic, and higher IDS noise than light discovery.
Â
nmap -Pn 10.12.11.10Â
Â
ARP ping scan (-PR)
Â
What it does: ARP requests on the same Layer 2 segment; ARP replies mark hosts up. Bypasses IP-based firewall rules.
Â
Why you need it on a pentest: Fastest internal LAN discovery. ARP works only on the local L2 segment, not across routers.
Â
nmap -sn -PR 10.11.12.10Â
Â
SCTP INIT ping (-PY)
Â
What it does: Sends an SCTP INIT chunk (often to port 80). INIT-ACK or abort can infer the host is up.
Â
Why you need it on a pentest: Rare in typical enterprise LANs; useful in telecom or carrier environments where SCTP is in use.
Â
nmap -sn -PY 10.11.12.10 --disable-arp-pingÂ
Â
When to use which technique
Â
Situation | Prefer |
|---|---|
LAN / same L2 segment | -sn (ARP by default) or -PR for explicit ARP-only discovery |
ICMP echo blocked | -PS / -PA toward allowed ports (e.g. -PS80,443) |
Strict firewall, TCP heavily filtered | -PU, then -PO |
Discovery fails but targets may still be up | -Pn on a tight IP list (noisy; plan with client) |
Â
Default Nmap already combines several probes; add explicit flags when you need to bypass specific blocks or document how the network responds.
Â
Quick References
Â
Goal | Nmap option |
|---|---|
Ping sweep (no ports) | -sn (not deprecated -sP) |
No ARP (IP probes only) | --disable-arp-ping |
Raw Ethernet discovery | --send-eth |
TCP SYN ping | -PS or -PS80,443 |
TCP ACK ping | -PA |
-PE | |
ICMP Timestamp | -PP |
ICMP Address Mask | -PM |
UDP ping | -PU |
IP protocol ping | -PO |
Skip discovery | -Pn |
ARP ping | -PR |
SCTP INIT | -PY |
Traceroute | --traceroute |
Â
Conclusion
Â
Host discovery sets the target list for every later phase. On internal LANs, -sn with ARP is usually enough; across filtered perimeters, rotate through -PS, -PA, -PU, and -PO before resorting to -Pn on a scoped IP list. Document which probes worked: that evidence belongs in the report firewall and segmentation section.
Â
References
Â
Â
Â
Register for instructor-led online courses today! https://www.darkrelay.com/courses
Â
Check out our self-paced learning paths! https://www.darkrelay.com/learning-paths
Â
Explore our bundled Pricing & Plans for cost-effective options! Buy a course subscription to learn more—hands-on labs and expert-led training included. https://www.darkrelay.com/plans-pricing
Â
Contact us for custom pentesting needs at: info@darkrelay.com or WhatsApp.
Â