HOST DISCOVERY

Host Discovery with Nmap

Before performing a full internal penetration test, it’s essential to identify which systems on the network are live. Nmap offers several methods to perform host discovery using ICMP, ARP, or other probes. This step helps avoid wasting time scanning offline systems.

Tip: Always save scan results for documentation, reporting, and comparison purposes. Different tools may yield different results, so keeping track is essential.

Scan a Network Range

To discover live hosts within a specific subnet using ICMP (ping) without performing a port scan:

sudo nmap IP_RANGE -sn -oA tnet | grep for | cut -d" " -f5

Options Breakdown:

  • IP_RANGE – Example: 10.129.2.0/24

  • -sn – Disables port scanning (ping-only scan).

  • -oA tnet – Outputs in all formats (XML, grepable, and normal) prefixed with “tnet”.

This works only if hosts allow ICMP requests. Firewalls may drop them.

Scan from an IP List

When given a list of IPs to test, create a file (hosts.lst) and use:

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Options Breakdown:

  • -iL – Reads targets from the provided list.

  • Other flags remain the same.

Scan Multiple or Ranged IPs

To scan several specific IPs:

sudo nmap <target> -sn -oA tnet IP1 IP2 IP3

To scan a short range within the same subnet:

sudo nmap <target> -sn -oA tnet IP_BASE.START-END

Example:

sudo nmap -sn -oA tnet <target>

Scan a Single IP

To verify whether a host is alive:

sudo nmap <target> -sn -oA host
  • Uses ARP ping (on local networks) or ICMP echo (default fallback).

Force ICMP Echo (Ping) with Packet Trace

To explicitly use ICMP and see packet-level detail:

sudo nmap <target> -sn -oA host -PE --packet-trace

  • -PE – Sends ICMP echo requests.

  • –packet-trace – Displays raw packets sent and received.

Show Detection Reason

To understand why Nmap considers a host alive:

sudo nmap <target> -sn -oA host -PE --reason
  • –reason – Displays the detection logic (e.g., ARP reply, ICMP response).

Disable ARP Pings

To bypass ARP and use ICMP only:

sudo nmap <target> -sn -oA host -PE --packet-trace --disable-arp-ping

This ensures the scan is based solely on ICMP echo, which is useful when testing network behaviour or bypassing certain evasion countermeasures.