Nmap -Pn (No Ping) Option Analysis

When we scan our target machine(s), nmap is almost always the first tool to begin with, for most of us (us = pentesters, researchers, engineers, etc.).

We use nmap so often that everybody has her/his own favorite nmap options and arguments. In my case, I tend to keep “-Pn” option almost all the time. Do you as well?

In this article, I wanted to briefly analyze trade-offs using -Pn option.

By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up.

To change this behavior, we use option -Pn (no ping option). With this option, nmap continues to perform its function, as if the host is active.

Let’s work on four scenarios to see differences. Our scenarios will have following rules and setup:

• We will use wireshark to capture packages to see the behavior change with and without -Pn option.
• We will limit number of scanned ports to 5, using “ — top-ports=5” option.
• Target#1 will have IP address as 192.168.191.10. This target is up and will respond to ping.
• Target#2 will have IP address as 192.168.191.44: This target is down.
• Our test machine IP address is 192.168.119.191
• We will run nmap with “sudo”

Scneario#1: Target#1 scan, default behavior (without -Pn):

• Command:

Scan our target which is up, scan is done without “-Pn” option

• Wireshark packages:

Wireshark package capture for Target#1 scan without “-Pn” option

• Observed Results: As we see above, Target#1 responds to host discovery packages which are “ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request”. Since the target is up, nmap starts “by default” with probing and sends packages to top 5 TCP ports (21, 22, 23, 80 and 443), each port is probed twice.

Scenario#2: Target#1 scan with -Pn option:

• Command:

Scan our target which is up, scan is with “-Pn” option

• Wireshark packages:

Wireshark package capture for Target#1 scan with “-Pn” option

• Observed Results: We see no host discovery packages (i.e. ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request), this is expected. When we use -Pn option, we tell nmap to skip this step and directly start with probing. As a result, nmap starts directly with probing and sends packages to top 5 TCP ports (21,22,23,80 and 443), each port is probed twice. As a result number of packages are less than Scenario #1.

Scenario#3: Target#2 scan, default behavior (without -Pn):

• Command:

Scan our Target#2 which is down, scan is done without “-Pn” option

• Wireshark packages:

Wireshark package capture for Target#2 scan without “-Pn” option

• Observed Results: It looks different than both Scenario#1 and Scenario#2. Nmap checks if target is up but there is no response. Since the target is not active, it stops probing top 5 ports. Each discovery package is sent twice compared to Scenario#1 discovery packages. And lastly, nmap informs about the use of “-Pn” option on our command terminal (see Command screenshot)

Scenario#4: Target#2 scan, with -Pn:

• Command:

Scan our Target#2 which is down, scan is done with “-Pn” option

• Wireshark packages:

Wireshark package capture for Target#2 scan with “-Pn” option

• Observed Results: Nmap skips host discovery stage as we use “-Pn” option. Nmap directly jumps to port probing stage (top 5 TCP ports). Each port is probed twice and there is no response from the target.

If we didn’t limit number of probed ports to 5, nmap scan would take much longer than 3–5 seconds. We limited ports for the purpose of our analysis.

I hope it’s a little bit clearer what kind of a behavior to expect with -Pn option. Use it responsibly.