TCP ACK Ping (`-PA`) with Nmap

TCP ACK Ping (-PA) with Nmap
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) is a powerful open-source tool widely used for network discovery and security auditing. Among its many scanning techniques, the TCP ACK Ping (-PA) is particularly useful for identifying active hosts within a network, especially in environments where standard ICMP ping is blocked by firewalls.

In this article, we will explore how TCP ACK Ping works, its use cases, practical examples, and limitations, helping you understand when and how to use it effectively.

Understanding TCP ACK Ping (-PA)

How It Works

TCP ACK Ping (-PA) is a host discovery technique that sends TCP ACK packets to a target system. The main goal is to check whether a host is online by observing how it responds to unsolicited TCP ACK packets.

  • If the host is alive and reachable, it may respond with a TCP RST (Reset) packet, indicating that no connection exists but confirming the host’s presence.
  • If the host is down or unreachable, there will be no response or an ICMP Destination Unreachable message.
  • If a firewall is present, it might silently drop the ACK packets, making the host appear offline unless specific rules allow the traffic.

Unlike ICMP Echo Request (ping), which firewalls often block, TCP ACK Ping can bypass such restrictions since firewalls often allow outbound TCP connections but may not filter ACK packets explicitly.

Why Use TCP ACK Ping?

  • Bypassing Firewalls: Many networks block ICMP ping but allow TCP traffic, making TCP ACK Ping a useful alternative.
  • Detecting Live Hosts: Helps in situations where traditional ping scans fail.
  • Network Mapping: Useful in reconnaissance and penetration testing to identify active devices.

Using TCP ACK Ping with Nmap

Basic Syntax

The basic syntax for running a TCP ACK Ping scan with Nmap is:

nmap -sn -PA <target>

Here:

  • -sn (No port scan): Ensures that Nmap performs only host discovery, without scanning ports.
  • -PA (TCP ACK Ping): Sends TCP ACK packets to determine host availability.
  • <target>: The IP address or range of addresses to scan.

Specifying Destination Ports

By default, Nmap sends ACK packets to port 80 (HTTP). However, you can specify multiple ports using:

nmap -sn -PA22,443 <target>

This sends ACK packets to ports 22 (SSH) and 443 (HTTPS), increasing the chances of detecting an active host.

Example Usage

Example 1: Scanning a Single Target

nmap -sn -PA 192.168.1.1

This checks if 192.168.1.1 is online by sending a TCP ACK packet to port 80.

Example 2: Scanning a Subnet

nmap -sn -PA 192.168.1.0/24

Scans the entire subnet 192.168.1.0/24, sending TCP ACK packets to detect live hosts.

Example 3: Specifying Multiple Ports

nmap -sn -PA21,22,80,443 192.168.1.1

This sends ACK packets to ports 21 (FTP), 22 (SSH), 80 (HTTP), and 443 (HTTPS), increasing the likelihood of finding an active host.

Combining with Other Scan Techniques

To enhance host discovery, you can combine TCP ACK Ping with other methods:

nmap -sn -PA -PE -PS22,80,443 192.168.1.1

Here:

  • -PE sends an ICMP Echo Request.
  • -PS22,80,443 sends a TCP SYN Ping to ports 22, 80, and 443.

Interpreting Results

Example Output

Nmap scan report for 192.168.1.1
Host is up (0.0050s latency).

This means the target responded to the ACK packet (likely with a RST), confirming it is online.

Nmap scan report for 192.168.1.2
Host seems down. If it is really up, but blocking our ping probes, try -Pn

This suggests that the host did not respond, possibly because:

  • It is offline.
  • A firewall is blocking the ACK packets.
  • The destination ports used for the scan are closed.

Limitations and Considerations

While TCP ACK Ping is useful, it has certain limitations:

  1. Firewall Limitations: Some firewalls drop ACK packets from unknown sources, making a host appear offline.
  2. No Service Detection: Unlike TCP SYN scanning, ACK Ping does not determine open ports.
  3. Spoofing Detection: Some Intrusion Detection Systems (IDS) may flag unexpected ACK packets as suspicious.
  4. Operating System Behavior: Different OS configurations may respond differently to unsolicited ACK packets.

Best Practices for Effective Scanning

  • Use Multiple Ports: If scanning a firewall-protected network, specify multiple ports to increase detection success.
  • Combine with Other Scans: Use SYN Ping (-PS) and ICMP Ping (-PE) alongside ACK Ping for better accuracy.
  • Understand Firewall Policies: If scanning a known network, check firewall rules to determine if ACK packets are blocked.
  • Use -Pn When Necessary: If all pings fail, use -Pn to assume hosts are up and proceed with a port scan.

Conclusion

TCP ACK Ping (-PA) in Nmap is a powerful tool for discovering live hosts, particularly in environments where ICMP pings are blocked. While it has limitations due to firewall configurations and varying OS behaviors, it remains a valuable method for penetration testers, network administrators, and security researchers. By strategically combining TCP ACK Ping with other techniques, you can achieve more reliable and comprehensive network reconnaissance.

Would you like to see additional advanced examples or real-world use cases? Let me know how I can refine this guide for your specific needs!


< TCP SYN Ping with NmapNmap UDP Ping Guide >