ICMP Address Mask Scan (`-PM`) with Nmap

ICMP Address Mask Scan (-PM) with Nmap
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Network reconnaissance is a critical step in ethical hacking, penetration testing, and cybersecurity assessments. One of the tools widely used for network discovery and scanning is Nmap (Network Mapper). Among its many scanning techniques, the ICMP Address Mask Scan (``) is a lesser-known but potentially useful method for gathering information about a target network.

This article will cover the ICMP Address Mask Scan, its purpose, how it works, its practical applications, and considerations for its effectiveness.

What is an ICMP Address Mask Scan?

ICMP (Internet Control Message Protocol) is primarily used for diagnostic and error-reporting functions in network communications. The ICMP Address Mask Request and Reply messages (ICMP Type 17 and Type 18, respectively) were originally designed to allow a host to determine the subnet mask of a network. This information could then be used to properly configure network interfaces.

However, with the advent of Classless Inter-Domain Routing (CIDR) and DHCP, the usage of ICMP Address Mask messages has significantly declined. Modern networks rarely respond to these requests due to security policies and firewall configurations.

Nmap provides the -PM option to send an ICMP Address Mask Request to a target host and determine whether it responds. If a reply is received, the response may contain the network’s subnet mask, offering insight into the network’s topology.

How ICMP Address Mask Scan Works

When nmap -PM is executed, Nmap sends an ICMP Address Mask Request (Type 17) packet to the target system. The expected response is an ICMP Address Mask Reply (Type 18) packet containing the subnet mask of the responding host.

Syntax of -PM Scan

The basic syntax of an ICMP Address Mask Scan is:

nmap -PM <target>

Example Usage

Scanning a Single Target

nmap -PM 192.168.1.1

This sends an ICMP Address Mask Request to 192.168.1.1 and waits for a response.

Scanning Multiple Targets

nmap -PM 192.168.1.1 192.168.1.2 192.168.1.3

This sends requests to multiple hosts in the same network.

Scanning an Entire Subnet

nmap -PM 192.168.1.0/24

This attempts to retrieve address mask responses from every device in the 192.168.1.0/24 subnet.

Analyzing the Output

When an ICMP Address Mask Reply is received, it may look something like this:

Nmap scan report for 192.168.1.1
Host is up (0.0021s latency).
Address Mask: 255.255.255.0

This tells us that the host is up and is using a 255.255.255.0 subnet mask.

If no response is received, the output may show:

Nmap done: 1 IP address (0 hosts up) scanned in 2.50 seconds

This suggests that the target host is either not responding to ICMP Address Mask Requests or the requests are being filtered by a firewall.

Practical Applications

While ICMP Address Mask Requests are rarely useful in modern environments, there are still scenarios where the -PM scan can be beneficial:

  1. Network Topology Discovery – If the target responds, the subnet mask reveals the network size and structure.
  2. Legacy System Enumeration – Older network devices and embedded systems might still respond to these requests, helping identify outdated infrastructure.
  3. Firewall and Security Testing – Identifying whether a network device is responding to ICMP requests can help assess firewall rules and filtering mechanisms.
  4. Footprinting and Reconnaissance – In penetration testing, understanding the subnet mask aids in determining the IP range available within a network.

Limitations and Considerations

Despite its potential usefulness, ICMP Address Mask Scan has significant limitations:

  • Modern Operating Systems Ignore It – Most modern operating systems (Windows, Linux, macOS) do not respond to ICMP Address Mask Requests due to security policies.
  • Firewalls Block It – Many firewalls, including enterprise-grade security appliances, block ICMP Address Mask Requests by default.
  • Limited Information – Even if a response is received, the subnet mask alone provides limited intelligence unless combined with other reconnaissance techniques.
  • Not Stealthy – Sending ICMP requests can be logged and flagged by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

Alternatives to -PM Scan

If an ICMP Address Mask Scan is not yielding results, consider alternative scanning methods:

  • Ping Scan (``) – Uses ICMP Echo Requests to detect live hosts.
  • ARP Scan (``) – More effective on local networks.
  • SYN Scan (``) – Stealthier for discovering open ports.
  • UDP Scan (``) – Identifies UDP-based services.
  • Traceroute (``) – Maps out network pathways.

Conclusion

The ICMP Address Mask Scan (``) in Nmap is a niche technique that was historically useful for obtaining subnet mask information. However, due to modern security practices, it is rarely effective today. While it can still be useful in legacy systems, most contemporary networks will block or ignore such requests.

If you’re conducting a network assessment, it’s best to complement ICMP Address Mask Scans with other reconnaissance techniques to gather more actionable intelligence.

Would you like to explore more Nmap scanning techniques? Let us know in the comments!


< ICMP Timestamp Scan (`-PP`)TCP SYN Ping with Nmap >