1. Host Discovery

These exercises are as per the modules. better tools are

  • arpscan

  • netdiscover

1. Netdiscover

netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24

2. Host discovery using nmap

nmap -sn -PR 192.168.18.110

-sn disables port scan

-PR arp scan. sends ARP probes

sudo nmap -sn -PU 192.168.18.110   //UDP ping scan
nmap -sn -PE 192.168.18.1-255   //ICMP Echo scan
nmap -sn -PM 192.168.18.1-255    //Mask Ping scan (use if ICMP is blocked)
nmap -sn -PP 192.168.18.1-255    //ICMP timestamp scan
nmap -sn -PS 192.168.18.1-255    //tcp syn ping scan
nmap -sn -PO 192.168.18.1-255     //IP protocol scan.use different protocols to test the connectivity

  • ICMP Address Mask Ping Scan: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.

    # nmap -sn -PM [target IP address]

  • TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.

    # nmap -sn -PS [target IP address]

  • TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.

    # nmap -sn -PA [target IP address]

  • IP Protocol Ping Scan: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.

    # nmap -sn -PO [target IP address]

2. Angry IP Scanner

LogoAngry IP Scanner - the original IP scanner for Windows, Mac and Linux

You can change settings to change pinging method to UDP+TCP. In display tab, change to display only live hosts.

LogoCertified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
PreviousModule 3. Scanning NetworksNext2. Port and Service Discovery

Last updated

Was this helpful?