ICMP Address Mask Ping (-PM)

An ICMP address mask request is an antiquated ICMP method that queries an IP gateway for an appropriate subnet mask on the current IP subnet. This ICMP type is extremely rare, and the traffic pattern is very obvious when observing network traces.

ICMP Address Mask Ping Operation
The ICMP address mask ping operates by sending an ICMP address mask request to a remote device. If this device is configured to reply to the ICMP address mask, it will send an ICMP address mask reply:

Source         Destination    Summary 
[]  [] ICMP: C Get address mask
[] []  ICMP: R Address mask = []
If the remote device isn't active or the remote device does not respond to ICMP address mask requests, no response will be seen and the ping will fail.

If the nmap is not running as a privileged user, the –PM option provides the following warning:

Warning: You are not root -- using TCP pingscan rather than ICMP

The ping process then continues with a TCP connect()-style ping.

Again, with the connect()-style ping! Watch out for this if you're scanning web servers!

Advantages of the ICMP Address Mask Ping A successful ICMP address mask ping can be indicative of an older or unprotected TCP/IP stack or gateway. Most modern operating systems and routers will not respond to this request, or (at the very least) they will not respond to this request from systems that are not on the same subnet. This ping could be useful as a filtering mechanism, since it would identify all systems on the network that have older or unusually open TCP/IP protocol stacks.

ICMP doesn't rely on any particular networking service or application. It's common for ICMP to respond to a request without any particular open or available ports on a system.

Disadvantages of the ICMP Address Mask Ping
An ICMP address mask request is an unusual frame, and it's rarely seen in normal network traffic. When looking at network trace files, the ICMP frames requesting address masks are very obvious.

This ICMP ping type doesn't work on most modern systems, which means that this ping will often fail. If it's important to find active systems, this method won't provide a high percentage of successful pings.

This ping type won't work at all unless the nmap user is privileged. If the nmap user isn't privileged, the ping type will change to a TCP connect()-style ping. Although there is a warning when this occurs, there's no option to stop the scan. Since this ping type doesn't accept a port number variable, this change to a TCP connect()-style ping will only run on the default port of 80. If there's an active web server on the destination station, this uncontrolled ping change will result in the initialization of an application session on the remote device.

ICMP is a difficult protocol to transmit through firewalls and packet filters. Since ICMP is often filtered, this ping has a low percentage of operation through firewalls.

When to use the ICMP Address Mask Ping The ICMP address mask ping is useful on networks that contain older operating systems or gateways.

The successful ping trace shown above was performed against a system using an older version of the VxWorks operating system.

This address mask ping is only useful on networks that allow for the free flow of ICMP frames. If the link contains firewalls or packet filters, a better choice would be a non-ICMP-based ping type.

If the nmap user is non-privileged, this ping type will revert to a TCP connect()-style ping. Since this ping type doesn't allow port specifications, a better ping choice for non-privileged users would be the TCP ACK ping (-PA) or the TCP SYN ping (-PS).