ICMP Echo Request and TCP ACK Ping (-PB)

THIS OPTION HAS BEEN DEPRECATED
If a specific ping type is not specified on the command line, the default nmap ping is used. This default ping consists of an ICMP echo request followed by a TCP ACK.

clock
The TCP ACK is always sent, even if an ICMP echo response is received from the remote device before the TCP ACK is sent.


The –PB option refers to the default combination of an ICMP echo request and a TCP ACK. This option is being phased out in favor of a separate ICMP echo request ping option (-PE) and a separate TCP ACK ping option (-PA). Now that these ping methods have separate options, they can be used independently of each other or in combination with other ping options. With this added flexibility, this –PB option that combines the ping methods is redundant and unnecessary for future use.


ICMP Echo Request and TCP ACK Ping Operation
The ICMP echo request and TCP ACK requests are both sent together and nmap waits to receive a reply from one or both of the requests:

PB_ping
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] ICMP: Echo
[192.168.0.5] [192.168.0.3] TCP: D=80 S=43162     ACK=1866185566 WIN=1024
[192.168.0.3] [192.168.0.5] ICMP: Echo reply
[192.168.0.3] [192.168.0.5] TCP: D=43162 S=80 RST WIN=0
Advantages of the ICMP Echo Request and TCP ACK Ping
The ICMP echo request and TCP ACK ping is a good all-purpose ping. This ping will obtain a response from all devices if the path is clear for ICMP, and it will get a response from a remote device if port 80 is not filtered. Since most packet filters allow port 80, there's a good possibility that this packet will get through.


clock
It doesn't matter that a remote station isn't running a web server on port 80, since all stations receiving a 'surprise' ACK packet will reply with a RST frame!



Disadvantages of the ICMP Echo Request and TCP ACK Ping
ICMP is often filtered through firewalls or packet filters. This random ACK ping through a stateful firewall won't usually garner a response. In some cases, a scan against a series of hosts may not return any available systems because the default ping couldn't traverse the firewall.


When to use the ICMP Echo Request and TCP ACK Ping
DON'T USE THIS OPTION. The –PB option has been deprecated, which means that this option will be eventually phased out in a future release of nmap. It still works in nmap 3.81, but its future availability isn't guaranteed. As a replacement, use both the ICMP echo request ping (-PE) and TCP ACK ping (-PA) options together on the nmap command line.