From 7375c0520d1bcf615327fb87272a81a624104725 Mon Sep 17 00:00:00 2001 From: dmiller Date: Tue, 15 Sep 2020 23:29:05 +0000 Subject: [PATCH] Improve docs on -Pn and host discovery "Host discovery" is the preferred term over "ping scan" because of confusion with ICMP Echo Request, a.k.a. "ping" as used by the "ping" utility. Warn when users use -Pn because it has negative impact on scan times since ultrascan timing parameters fall back to slow initial defaults. --- docs/refguide.xml | 30 ++++++++++++++++-------------- nmap.cc | 1 + 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/refguide.xml b/docs/refguide.xml index be3abedef..09bc7b585 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -352,8 +352,8 @@ you would expect. discovery is sometimes called ping scan, but it goes well beyond the simple ICMP echo request packets associated with the ubiquitous ping tool. Users can skip - the ping step entirely with a list scan () or - by disabling ping (), or engage the network + the discovery step entirely with a list scan () or + by disabling host discovery (), or engage the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active @@ -400,7 +400,7 @@ you would expect. probes (). Read about the option to learn how to perform only host discovery, or use to skip host - discovery and port scan all target hosts. The following options + discovery and port scan all target addresses. The following options control host discovery: @@ -429,10 +429,10 @@ you would expect. Since the idea is to simply print a list of target hosts, options for higher level functionality such as port - scanning, OS detection, or ping scanning cannot be combined - with this. If you wish to disable ping scanning while still + scanning, OS detection, or host discovery cannot be combined + with this. If you wish to disable host discovery while still performing such higher level functionality, read up on the - (skip ping) option. + (skip host discovery) option. @@ -440,6 +440,7 @@ you would expect. (No port scan) + host discovery ping scan port scandisabling with @@ -473,8 +474,7 @@ you would expect. are used unless was specified. The option can be combined with any of the - discovery probe types (the options, - excluding ) for greater flexibility. + discovery probe types (the options) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the @@ -498,9 +498,10 @@ you would expect. host discoverydisabling - This option skips the Nmap discovery stage altogether. + This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines - for heavier scanning. By default, Nmap only performs heavy + for heavier scanning and to gauge the speed of the network. + By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with causes Nmap to @@ -511,10 +512,11 @@ you would expect. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target - IP is active. To skip ping scan and port + IP is active. Default timing parameters are used, which may result in + slower scans. To skip host discovery and port scan, while still allowing NSE to run, use the two options together. - + For machines on a local ethernet network, ARP scanning will still be performed (unless or is specified) because Nmap needs @@ -3159,7 +3161,7 @@ lists the relevant options and describes what they do. The option causes the requested scan (including - ping scans) to use tiny fragmented IP packets. The idea + host discovery scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are @@ -3245,7 +3247,7 @@ services. (so the decoy networks don't see you in their nameserver logs). Right now random IP address generation is only supported with IPv4 - Decoys are used both in the initial ping scan (using + Decoys are used both in the initial host discovery scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (). Decoys do not work with diff --git a/nmap.cc b/nmap.cc index d3d95d680..688fbe361 100644 --- a/nmap.cc +++ b/nmap.cc @@ -1189,6 +1189,7 @@ void parse_options(int argc, char **argv) { Snprintf(buf, 3, "P%c", *optarg); delayed_options.warn_deprecated(buf, "Pn"); } + error("Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower."); o.pingtype |= PINGTYPE_NONE; } else if (*optarg == 'R') {