vrijdag 24 juni 2011 23:22 Tom Decaluwé

how nmap finds hosts on a local network

Yesterday afternoon I presented a gave an overdrive session on how to use nmap to discover hosts, ports, services and os’s on your network. Initially I had 45 minutes to present the session, which is to short for any real session but in the end I spent about 70 minutes with a fantastic group of about 20 minutes and seeing as nobody left the session I’m guessing all enjoyed :-)

In any case on question that was as asked was how Nmap can detect a host if it’s firewalled. A very valid question and I touched on this very briefly but did not have time to demo this in real time so I thought it would only be courtesy to show how it works in a blog post.

To show you this I ran the nmap scans from my linux based box agains a fully patched win7 SP1 in three different scenarios:


In scenario1 I ran the nmap scan to port 80 against a system with a webserver running and no firewall. This would be a typical scan of an open port.

What you can see here is Nmap sending it’s Syn packet and getting a syn/ack packet back from the win7 machine and then the Nmap client neatly ending the TCP session with a RST.

The end result is nmap knows the host is up and knows the port is active.


In scenario 2 I ran the nmap scan to port 80 on the same system but stopped the webserver before running the scan. The firewall was still not on so the system was open just didn’t have a service on that port.

What you see is Nmap sending it’s Syn packet tot he destination and the destination replying back to the Nmap client with a RST packet. As mentioned during me talk yesterday this is the great thing about Nmap. Even what seems to be a negative responce at first is actually positive as by sending the Rst packet the client confirmed it was up and no service is on port 80, but at least we are 100% sure the host is up.

The end result is nmap knows the host is up and knows the port is in-active.


Scenario 3 is where i start firewalling the host. I have configured my firewall to block port 80 (standard win7 firewall).

What you see is Nmap sending it’s syn packet to the destination host, getting no reply and retrying a second time, still not getting any reply.

The end result however is still Nmap indicating the host is up and hte port is filtered. Filtered means nmap know the host is active put did not respond in any way to it’s scan packet so it know’s the port is nog just not active but it’s being filtered by some kind of firewall als TCP logic would dictate a port not begin active should respond with a RST packet just like scenario 2.

But how did Nmap know the host was up when we go no responce? The proof is in the packets.


As explained yesterday when you run Nmap on a local network it will always do an ARP in the background to the host as this is the fastest, easiest and certain way to detect hosts on a network. (nmap did this in all scenarios, but I filtered out the traffic to clarify it didn’t need arp in the previous two scenarios)

The most important thing I wanted to point out yesterday that even win7’s advanced firewall with all it’s gifts does not stop host discovery through arp as just about all host based firewalls operate at OSI layer 3 and 4 and just allow arp traffic.

The security impact of this is of course very low compared to an unpatched non firewalled system, but it does go a far way in proving nmaps power to discver hosts in just about any scenario.