Host Discovery

Introduction

When we need to conduct an internal penetration test for the entire network of a company, for example, then we should, first of all, get an overview of which systems are online that we can work with.
To actively discover such systems on the network, we can use various Nmap host discovery options. There are many options Nmap provides to determine whether our target is alive or not.
It is always recommended to store every single scan. This can later be used for comparison, documentation, and reporting. After all, different tools may produce different results. Therefore it can be beneficial to distinguish which tool produces which results.

Host Discovery

Scanning a network range: sudo nmap <IP Address/<Subnet> -sn -oA <Output File Name> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)
- This scanning method works only if the firewalls of the hosts allow it. Otherwise, we can use other scanning techniques to find out if the hosts are active or not.
- Example: sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
- Example: sudo nmap --unprivileged 192.168.100.0/24 -sn -oA TestingTemp | grep for | cut -d" " -f5
Scanning an IP list: sudo nmap -sn -oA <Output File Name> -iL <File Name That Contains the List> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)
- This also might provide some false positives as some hosts ignore the default ICMP echo requests because of their firewall configurations. Since Nmap does not receive a response, it marks those hosts as inactive.
- Example: sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
- Example: sudo nmap --unprivileged -sn -oA TestingTemp -iL temp.lst | grep for | cut -d" " -f5
Scanning Multiple IP: sudo nmap -sn -oA <Output File Name> <IP Address 1> <IP Address 2> <IP Address X> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)
- Example: sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
- Example: sudo nmap --unprivileged -sn -oA tempTest 192.168.100.1 192.168.100.97 192.168.100.40 | grep for | cut -d" " -f5
Scanning Multiple IP (Adjacent): sudo nmap -sn -oA <Output File Name> <IP Address.X-Y> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)
- Example: sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
- Example: sudo nmap --unprivileged -sn -oA tempTest 192.168.100.1-255| grep for | cut -d" " -f5
Scanning a Single IP address (live or not): sudo nmap <IP Address> -sn -oA host (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)
- Example: sudo nmap 10.129.2.18 -sn -oA host
- Example: sudo nmap --unprivileged 192.168.100.1 -sn -oA tempTest

If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive.
The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option.
Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.
To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option.
The operating system of the target can be identified using some of the properties of the packet. For example, the TTL of a Linux packet is 64 while the TTL of a Windows packet is 128.

PreviousEnumeration & Introduction to Nmap NextHost and Port Scanning

Last updated 3 months ago

Introduction

When we need to conduct an internal penetration test for the entire network of a company, for example, then we should, first of all, get an overview of which systems are online that we can work with.

To actively discover such systems on the network, we can use various Nmap host discovery options. There are many options Nmap provides to determine whether our target is alive or not.

It is always recommended to store every single scan. This can later be used for comparison, documentation, and reporting. After all, different tools may produce different results. Therefore it can be beneficial to distinguish which tool produces which results.

Host Discovery

Scanning a network range: sudo nmap <IP Address/<Subnet> -sn -oA <Output File Name> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)

This scanning method works only if the firewalls of the hosts allow it. Otherwise, we can use other scanning techniques to find out if the hosts are active or not.
Example: sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
Example: sudo nmap --unprivileged 192.168.100.0/24 -sn -oA TestingTemp | grep for | cut -d" " -f5

Scanning an IP list: sudo nmap -sn -oA <Output File Name> -iL <File Name That Contains the List> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)

This also might provide some false positives as some hosts ignore the default ICMP echo requests because of their firewall configurations. Since Nmap does not receive a response, it marks those hosts as inactive.
Example: sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
Example: sudo nmap --unprivileged -sn -oA TestingTemp -iL temp.lst | grep for | cut -d" " -f5

Scanning Multiple IP: sudo nmap -sn -oA <Output File Name> <IP Address 1> <IP Address 2> <IP Address X> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)

Example: sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
Example: sudo nmap --unprivileged -sn -oA tempTest 192.168.100.1 192.168.100.97 192.168.100.40 | grep for | cut -d" " -f5

Scanning Multiple IP (Adjacent): sudo nmap -sn -oA <Output File Name> <IP Address.X-Y> | grep for | cut -d" " -f5 (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)

Example: sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
Example: sudo nmap --unprivileged -sn -oA tempTest 192.168.100.1-255| grep for | cut -d" " -f5

Scanning a Single IP address (live or not): sudo nmap <IP Address> -sn -oA host (Note: When I ran this it gave me that all the hosts are up so I added "--unprivileged" and got the correct results)

Example: sudo nmap 10.129.2.18 -sn -oA host
Example: sudo nmap --unprivileged 192.168.100.1 -sn -oA tempTest

If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive.

The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option.

Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.

To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option.

The operating system of the target can be identified using some of the properties of the packet. For example, the TTL of a Linux packet is 64 while the TTL of a Windows packet is 128.