This guide explains how to efficiently discover live hosts on a network using Nmap, along with complementary tools like arp-scan
and masscan
.
It covers host discovery techniques, command-line options, and best practices for active reconnaissance.
When targeting a network, one of the first tasks is to determine:
Nmap (Network Mapper), created by Gordon Lyon (Fyodor) in 1997, is an industry-standard open-source tool for:
In this guide, we focus on host discovery, which answers the first question: Which systems are up?
Before scanning, itβs important to understand how networks are structured:
/16
β 255.255.0.0
β ~65,000 hosts/24
β 255.255.255.0
β ~250 hostsARP queries work only within the same subnet, because ARP is a link-layer protocol and does not cross routers.
You can specify targets in several ways:
nmap MACHINE_IP scanme.nmap.org example.com
(Scans 3 IP addresses)
Range:
nmap 10.11.12.15-20
(Scans 6 IPs: .15
β .20
)
Subnet:
nmap MACHINE_IP/30
(Scans 4 IPs)
From File:
nmap -iL list_of_hosts.txt
Preview the hosts Nmap will scan without actually scanning:
nmap -sL TARGETS
Skip DNS lookups during this step:
nmap -sL -n TARGETS
Nmap leverages multiple protocols for host discovery:
Command:
sudo nmap -PR -sn MACHINE_IP/24
Alternative tool: arp-scan
sudo arp-scan --localnet
sudo arp-scan -I eth0 -l
Command:
sudo nmap -PE -sn MACHINE_IP/24
Command:
sudo nmap -PS22,80,443 -sn MACHINE_IP/30
Command:
sudo nmap -PA80,443,8080 -sn MACHINE_IP/30
Command:
sudo nmap -PU53,161,162 -sn MACHINE_IP/30
Similar syntax to Nmap:
masscan MACHINE_IP/24 -p443
masscan MACHINE_IP/24 -p80,443
masscan MACHINE_IP/24 -p22-25
masscan MACHINE_IP/24 --top-ports 100
β οΈ Masscan is very aggressive and can overwhelm networks.
Options:
Skip DNS lookup:
nmap -n TARGETS
Query DNS for all hosts (even offline):
nmap -R TARGETS
Use a specific DNS server:
nmap --dns-servers 8.8.8.8 TARGETS
Scan Type | Example Command |
---|---|
ARP Scan | sudo nmap -PR -sn MACHINE_IP/24 |
ICMP Echo Scan | sudo nmap -PE -sn MACHINE_IP/24 |
ICMP Timestamp Scan | sudo nmap -PP -sn MACHINE_IP/24 |
ICMP Address Mask | sudo nmap -PM -sn MACHINE_IP/24 |
TCP SYN Ping | sudo nmap -PS22,80,443 -sn MACHINE_IP/30 |
TCP ACK Ping | sudo nmap -PA22,80,443 -sn MACHINE_IP/30 |
UDP Ping | sudo nmap -PU53,161,162 -sn MACHINE_IP/30 |
Tip: Always add
-sn
for host discovery only. Without it, Nmap proceeds to port scan live hosts.
Option | Purpose |
---|---|
-n |
Disable DNS lookup |
-R |
Reverse-DNS lookup for all hosts |
-sn |
Host discovery only, skip port scanning |
By mastering ARP, ICMP, TCP, and UDP scans, you can reliably discover live hosts. Any valid response from a host indicates it is online.
Nmap, combined with tools like arp-scan
and masscan
, provides a powerful toolkit for active reconnaissance.
```