Firewalls and intrusion detection systems often block ICMP (ping) requests to prevent unauthorized network reconnaissance. This can make it challenging to identify live hosts using standard scanning techniques. However, Nmap provides several methods to bypass these restrictions and discover active systems even when ICMP is blocked. In addition, Nmap’s Scripting Engine (NSE) allows users to perform advanced network discovery, vulnerability detection, and even exploit automation. This module covers techniques to bypass ping blocking and use NSE effectively.
Organizations block ICMP Echo Requests to reduce exposure to network scans, prevent denial-of-service attacks, and minimize unnecessary traffic. Many firewalls are configured to drop ping requests, making it appear as if a system is offline when it is actually running. Since Nmap’s default behavior includes an ICMP request before scanning, a blocked ping can cause Nmap to incorrectly assume a host is down. To address this, alternative methods such as TCP, UDP, and ARP-based discovery are required.
PS)A common way to detect hosts behind firewalls is to send TCP SYN packets to well-known ports. If the target responds with a SYN-ACK, the system is confirmed to be online.
Example:
nmap -PS22,80,443 192.168.1.1
This command sends SYN packets to ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). If any of these ports respond, the host is detected as online, even if ICMP is blocked.
This method is particularly useful for scanning systems that block ping but allow connections to web or remote access services.
PA)Instead of initiating a new connection, this method sends TCP ACK packets. Some firewalls assume that ACK packets belong to an established session and allow them through, revealing the presence of a system.
Example:
nmap -PA80,443 192.168.1.1
This sends ACK packets to ports 80 and 443. If the target responds, it indicates the system is active. This is effective against firewalls that block new connections but allow responses to existing ones.
PU)Since many security policies only restrict TCP and ICMP, UDP-based discovery can sometimes bypass these defenses. This method sends UDP packets to specified ports, such as DNS (53) and SNMP (161), which frequently allow inbound traffic.
Example:
nmap -PU53,161 192.168.1.1
If a response is received, the target is confirmed to be online. This technique is useful for identifying devices like DNS servers or network appliances that rely on UDP communication.
PR)When scanning within a local network, an ARP scan is the most reliable method for detecting live hosts. ARP requests do not rely on ICMP or TCP and cannot be blocked by traditional firewalls.
Example:
nmap -PR 192.168.1.0/24
This command discovers all active devices on the specified subnet. ARP scans are essential for internal network reconnaissance, especially when other discovery methods fail due to security restrictions.
Pn)In cases where a system is known to be online but blocks all forms of discovery, Nmap can be instructed to assume all targets are up and proceed with scanning.
Example:
nmap -Pn 192.168.1.1
This disables host discovery and scans the target’s ports directly. While effective, this approach can be inefficient as it attempts to scan every IP, even inactive ones.
The Nmap Scripting Engine (NSE) allows users to automate network scanning tasks, detect vulnerabilities, and interact with services. NSE scripts can be used for:
NSE scripts are executed using the --script option. Scripts are stored in the Nmap directory under scripts/.
Example: Running a script to detect vulnerabilities in an HTTP service
nmap --script=http-vuln* 192.168.1.1
This command runs all scripts that start with http-vuln, scanning for web vulnerabilities.
Example: Checking for open SMB shares on a target
nmap --script=smb-enum-shares 192.168.1.1
This script retrieves a list of shared folders on a Windows or Samba server.
Nmap allows users to run multiple scripts at once by specifying categories or using wildcard searches.
Example: Running all default scripts on a target
nmap -sC 192.168.1.1
This executes all scripts categorized as "default," such as service detection and security checks.
Example: Running all vulnerability-related scripts
nmap --script=vuln 192.168.1.1
This runs scripts that check for known security vulnerabilities.
If an NSE script is not found, it may not be installed or located in the correct directory.
Solution: Update the script database.
nmap --script-updatedb
This refreshes Nmap’s script database.
Some scripts require elevated privileges. If a script fails due to permission issues, try running Nmap with sudo (on Linux/macOS) or as an administrator (on Windows).
Example:
sudo nmap --script=smb-os-discovery 192.168.1.1
This ensures the script runs with the necessary permissions.
Certain scripts may take a long time to complete, especially those performing brute-force attacks or scanning large networks.
Solution: Use a timeout to prevent scripts from running indefinitely.
nmap --script-timeout 30s --script=http-vuln* 192.168.1.1
This sets a 30-second timeout for the script.
Some firewalls may detect and block NSE scripts, preventing them from running successfully.
Solution: Try running the script with an alternative scan method or adjusting scan timing.
nmap -sS --script=smb-os-discovery 192.168.1.1
Switching to a stealthier SYN scan (-sS) may bypass firewall restrictions.
| Method | Command | Best Used When |
|---|---|---|
| TCP SYN Ping | nmap -PS |
ICMP is blocked, but TCP is allowed |
| TCP ACK Ping | nmap -PA |
Firewalls allow ACK but block SYN |
| UDP Ping | nmap -PU |
TCP/ICMP is blocked, but UDP is allowed |
| ARP Scan | nmap -PR |
Scanning inside a local network |
| No Ping | nmap -Pn |
Target is known to be online but blocks discovery |
| Run NSE script | nmap --script=script-name |
Automating scanning and vulnerability detection |
| Run all default scripts | nmap -sC |
Perform standard service and security checks |
| Update script database | nmap --script-updatedb |
Refreshing NSE script library |
| Set script timeout | nmap --script-timeout 30s |
Prevents long-running scans |
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.