# 1. Host Discovery

These exercises are as per the modules. better tools are

* arpscan
* netdiscover

## <mark style="color:red;">1. Netdiscover</mark>

```
netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24
```

## 2. Host discovery using nmap

```
nmap -sn -PR 192.168.18.110
```

{% hint style="info" %}
-sn disables port scan

-PR arp scan. sends ARP probes
{% endhint %}

<figure><img src="/files/YCFexC4feARgLUfXkMiv" alt=""><figcaption></figcaption></figure>

```
sudo nmap -sn -PU 192.168.18.110   //UDP ping scan
```

```
nmap -sn -PE 192.168.18.1-255   //ICMP Echo scan
nmap -sn -PM 192.168.18.1-255    //Mask Ping scan (use if ICMP is blocked)
nmap -sn -PP 192.168.18.1-255    //ICMP timestamp scan
nmap -sn -PS 192.168.18.1-255    //tcp syn ping scan
nmap -sn -PO 192.168.18.1-255     //IP protocol scan.use different protocols to test the connectivity
```

* **ICMP Address Mask Ping Scan**: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.

  **# nmap -sn -PM \[target IP address]**
* **TCP SYN Ping Scan**: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.

  **# nmap -sn -PS \[target IP address]**
* **TCP ACK Ping Scan**: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.

  **# nmap -sn -PA \[target IP address]**
* **IP Protocol Ping Scan**: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.

  **# nmap -sn -PO \[target IP address]**

## 2. Angry IP Scanner

{% embed url="<https://angryip.org/>" %}

You can change settings to change pinging method to UDP+TCP.  In display tab, change to display only live hosts.&#x20;

<figure><img src="/files/G78RFCUUQ8LEq976pUTr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/WKPK1TGiYLqeyVk2hpb4" alt=""><figcaption></figcaption></figure>

### Best CEH v13 Practical Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-3.-scanning-networks/1.-host-discovery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.