1. Host Discovery

These exercises are as per the modules. better tools are

arpscan
netdiscover

1. Netdiscover

netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r 10.10.10.0/24

2. Host discovery using nmap

nmap -sn -PR 192.168.18.110

-sn disables port scan

-PR arp scan. sends ARP probes

sudo nmap -sn -PU 192.168.18.110   //UDP ping scan

nmap -sn -PE 192.168.18.1-255   //ICMP Echo scan
nmap -sn -PM 192.168.18.1-255    //Mask Ping scan (use if ICMP is blocked)
nmap -sn -PP 192.168.18.1-255    //ICMP timestamp scan
nmap -sn -PS 192.168.18.1-255    //tcp syn ping scan
nmap -sn -PO 192.168.18.1-255     //IP protocol scan.use different protocols to test the connectivity

ICMP Address Mask Ping Scan: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.
# nmap -sn -PM [target IP address]
TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.
# nmap -sn -PS [target IP address]
TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.
# nmap -sn -PA [target IP address]
IP Protocol Ping Scan: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.
# nmap -sn -PO [target IP address]