Waytobecomehacker

Nmap Live Host Discovery

This guide explains how to efficiently discover live hosts on a network using Nmap, along with complementary tools like arp-scan and masscan.
It covers host discovery techniques, command-line options, and best practices for active reconnaissance.


πŸ“Œ Introduction to Nmap

When targeting a network, one of the first tasks is to determine:

  1. Which systems are up?
  2. What services are running on these systems?

Nmap (Network Mapper), created by Gordon Lyon (Fyodor) in 1997, is an industry-standard open-source tool for:

In this guide, we focus on host discovery, which answers the first question: Which systems are up?


🌐 Network Segments & Subnets

Before scanning, it’s important to understand how networks are structured:

Common Subnet Examples:

ARP queries work only within the same subnet, because ARP is a link-layer protocol and does not cross routers.


🎯 Target Specification in Nmap

You can specify targets in several ways:

(Scans 3 IP addresses)

Preview the hosts Nmap will scan without actually scanning:

nmap -sL TARGETS

Skip DNS lookups during this step:

nmap -sL -n TARGETS

πŸ“‘ TCP/IP Layers & Protocols in Scanning

Nmap leverages multiple protocols for host discovery:

TCP/IP Layers


πŸ” Host Discovery Techniques

1️⃣ ARP Scan


2️⃣ ICMP Echo Scan


3️⃣ TCP SYN Ping


4️⃣ TCP ACK Ping


5️⃣ UDP Ping


6️⃣ Masscan Overview

⚠️ Masscan is very aggressive and can overwhelm networks.


🌎 Reverse DNS Lookups in Nmap

Options:


πŸ“– Summary & Quick Reference

Nmap Host Discovery Commands

Scan Type Example Command
ARP Scan sudo nmap -PR -sn MACHINE_IP/24
ICMP Echo Scan sudo nmap -PE -sn MACHINE_IP/24
ICMP Timestamp Scan sudo nmap -PP -sn MACHINE_IP/24
ICMP Address Mask sudo nmap -PM -sn MACHINE_IP/24
TCP SYN Ping sudo nmap -PS22,80,443 -sn MACHINE_IP/30
TCP ACK Ping sudo nmap -PA22,80,443 -sn MACHINE_IP/30
UDP Ping sudo nmap -PU53,161,162 -sn MACHINE_IP/30

Tip: Always add -sn for host discovery only. Without it, Nmap proceeds to port scan live hosts.


Useful Options

Option Purpose
-n Disable DNS lookup
-R Reverse-DNS lookup for all hosts
-sn Host discovery only, skip port scanning

βœ… Conclusion

By mastering ARP, ICMP, TCP, and UDP scans, you can reliably discover live hosts. Any valid response from a host indicates it is online. Nmap, combined with tools like arp-scan and masscan, provides a powerful toolkit for active reconnaissance.

```