Ping Scan (-sP)
Requires Privileged Access: NO
Identifies TCP Ports: NO
Identifies UDP Ports: NO

The ping scan is one of the quickest scans that nmap performs, since no actual ports are queried. Unlike a port scan where thousands of packets are transferred between two stations, a ping scan requires only two frames. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.



Ping Scan Operation
The ping scan sends a single ICMP echo request from the nmap station to the destination device. A response from an active device will return an ICMP echo reply, unless the IP address is not available on the network or the ICMP protocol is filtered.

If the station isn't available on the network or a packet filter is preventing ICMP packets from passing, there will be no response to the echo frame:

sP_no_reply
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.10] ICMP: Echo
A response from an active host will return an ICMP echo reply, unless the IP address is not available on the network or ICMP is filtered.

sP_reply
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.10] ICMP: Echo
[192.168.0.10] [192.168.0.8]  ICMP: Echo reply
The ping scan output is simple and straightforward:
# nmap -sP -v 192.168.0.10

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:40 EDT
Host 192.168.0.10 appears to be up.
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 0.778 seconds
               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)
#

Advantages of the Ping Scan
The ping scan is one of the most common scanning techniques, and it's used every day by network and server administrators to check for device availability. The ICMP echo request is very innocuous, and these frames are very common on most networks. Unless many IP addresses are chosen for a simultaneous scan, the ICMP echo request will probably not be noticeable.

A ping scan is also very fast, since there are only two frames required to complete the scan to an active workstation. The longest wait time during a ping scan will be the delay that occurs when an unavailable address is scanned.

If the ping scan is successful, then the ICMP protocol is not filtered between the source and destination. Because ICMP can be dangerous in the wrong hands, most security administrators will filter all ICMP packets on their network ingress and egress points.


Disadvantages of the Ping Scan
The ping scan will not interoperate with any other type of scan. If another scan type is specified on the command line with a ping scan, an error message will occur:
Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.
QUITTING!
The ping scan doesn't provide a lot of information, other than availability and the filtered or unfiltered state of the communication path. Unfortunately, the ping scan can't determine if the lack of an ICMP reply is indicative of an ICMP-filtered connection or an inactive station at that IP address.


When to use the Ping Scan
Ping scans are extremely useful when building an inventory of available stations on a network. This inventory list can then be used to create more complex nmap scans, and some security managers will use these lists to determine if any unknown workstations are active on the network.

Because ping scans only provide uptime information, they are usually performed when more detailed port information is unnecessary. If more detailed information is needed, a different scan type may be a better choice.

clock
ICMP can be used for very evil purposes! If it's not filtered on your firewall, the potential exists for some very malicious activity.

Don't expect the ping scan to work through a firewall. If it does work, the network may be more open than usual on the inside!