Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system administrators to count or monitor the number of active hosts.
This recipe describes how to perform a ping scan, to find live hosts in a network by using Nmap.
Open your terminal and enter the following command:
$ nmap -sP 192.168.1.1/24
The result shows hosts that are online and responded to the ping sweep.
Nmap scan report for 192.168.1.102 Host is up. Nmap scan report for 192.168.1.254 Host is up (0.0027s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 256 IP addresses (2 hosts up) scanned in 10.18 seconds
In this case, we found two live hosts in the network. Nmap has also found the MAC address, and it identified the vendor of a home router.
Nmap uses the -sP flag for ping scanning. This type of scan is very useful for enumerating the hosts in a network. It uses a TCP ACK packet and an ICMP echo request if executed as a privileged user, or a SYN packet sent via connect() syscall if run by users who can't send raw packets.
CIDR /24 in 192.168.1.1/24 is used to indicate that we want to scan all the 256 IPs in our network.
ARP requests are used when scanning a local Ethernet network as a privileged user, but you can override this behavior by including the flag --send-ip.
# nmap -sP --send-ip 192.168.1.1/24
Use --traceroute to include a path between your machine and each host that was found.
Nmap scan report for 192.168.1.101 Host is up (0.062s latency). MAC Address: 00:23:76:CD:C5:BE (HTC) TRACEROUTE HOP RTT ADDRESS 1 61.70 ms 192.168.1.101 Nmap scan report for 192.168.1.102 Host is up. Nmap scan report for 192.168.1.254 Host is up (0.0044s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) TRACEROUTE HOP RTT ADDRESS 1 4.40 ms 192.168.1.254 Nmap done: 256 IP addresses (3 hosts up) scanned in 10.03 seconds
Ping scanning does not perform port scanning or service detection, but the Nmap Scripting Engine can be enabled for scripts depending on host rules, such as the cases of sniffer-detect and dns-brute.
# nmap -sP --script discovery 192.168.1.1/24 Pre-scan script results: | broadcast-ping: |_ Use the newtargets script-arg to add the results as targets Nmap scan report for 192.168.1.102 Host is up. Host script results: |_dns-brute: Can't guess domain of "192.168.1.102"; use dns-brute.domain script argument. Nmap scan report for 192.168.1.254 Host is up (0.0023s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Host script results: |_dns-brute: Can't guess domain of "192.168.1.254"; use dns-brute.domain script argument. |_sniffer-detect: Likely in promiscuous mode (tests: "11111111") Nmap done: 256 IP addresses (2 hosts up) scanned in 14.11 seconds
The Running NSE scripts recipe
The Discovering hosts using broadcast pings recipe in Chapter 2, Network Exploration
The Discovering hosts with TCP SYN ping scans recipe in Chapter 2, Network Exploration
The Discovering hosts with TCP ACK ping scans recipe in Chapter 2, Network Exploration
The Discovering hosts with ICMP ping scans recipe in Chapter 2, Network Exploration
The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
The Discovering hostnames pointing to the same IP recipe in Chapter 3, Gathering Additional Host Information
The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information
The Spoofing the origin IP of a port scan recipe in Chapter 3, Gathering Additional Host Information