Browse Hacknotes

Host Discovery

December 28, 2025 Nmap Fping Hping3 Masscan Netdiscover Arpscan

Host discovery techniques for penetration testing, including ping sweeps, ARP scans, and Nmap host discovery methods to identify active systems and live hosts on target networks during security assessments.

On this page

IPv4 Discovery

Ping Sweep (Nmap)

Perform a basic host discovery scan across a subnet and extract live hosts:

nmap -sn $RHOST/24 -oG - | awk '/Up$/{print $2}' > output.scan
  • -sn disables port scanning and performs host discovery only
  • Outputs a list of responsive hosts to output.scan
  • Relies on ICMP echo requests
  • Use CIDR notation (e.g., /24 for 256 hosts, /16 for 65,536 hosts)

Scan specific IP range:

nmap -sn 192.168.1.1-254 -oG - | awk '/Up$/{print $2}' > output.scan

TCP-Based Host Discovery

When ICMP is blocked, use TCP SYN or ACK probes against common ports to identify live hosts:

nmap -sn -PS22,80,443 $RHOST/24

nmap -sn -PA80,443 $RHOST/24
  • -PS TCP SYN probe
  • -PA TCP ACK probe
  • Specify common ports likely to be open (22, 80, 443, 135, 139, 445)

UDP-based host discovery:

nmap -sn -PU53,161 $RHOST/24
  • -PU UDP probe
  • Useful when both ICMP and TCP are filtered

ICMP Advanced Probes

Use different ICMP message types when standard ping is blocked:

nmap -sn -PP $RHOST/24  # ICMP timestamp request

nmap -sn -PM $RHOST/24  # ICMP address mask request

Fping

Fast parallel ping tool for host discovery:

fping -a -g $RHOST/24 2>/dev/null
  • -a show only alive hosts
  • -g generate target list from network range
  • Faster than sequential ping

Scan from file:

fping -a < hosts.txt

Hping3

Advanced packet crafting tool for custom probes:

hping3 -1 $RHOST  # ICMP ping

hping3 -S -p 80 $RHOST  # TCP SYN to port 80

hping3 -2 -p 161 $RHOST  # UDP to port 161
  • -1 ICMP mode
  • -S SYN flag
  • -2 UDP mode
  • Useful for firewall testing and custom probe crafting

Masscan

Ultra-fast host discovery and port scanning:

masscan $RHOST/24 -p0 --rate=1000
  • -p0 ping scan (host discovery only)
  • --rate packets per second (adjust based on network)
  • Much faster than nmap but less accurate

Netdiscover Scan

Passive and active ARP-based host discovery. Useful when ICMP is blocked, but requires being on the same L2 segment:

sudo netdiscover -i eth0

Active scan:

sudo netdiscover -r $RHOST/24 -i eth0

Passive scan (stealth):

sudo netdiscover -p -i eth0

ARP Scan

Actively enumerate hosts on the local network using ARP requests and bypass ICMP restrictions:

arp-scan -l

Scan specific network:

arp-scan $RHOST/24

Interface selection:

arp-scan -I eth0 -l

IPv6 Discovery

Nmap IPv6 Host Discovery

nmap -6 -sn $RHOSTv6/64
  • -6 enable IPv6 scanning
  • Use IPv6 CIDR notation (typically /64 for subnets)

Ping6

ping6 -c 3 $RHOSTv6

Passive Discovery

Passive discovery techniques listen to network traffic without sending probes:

Tcpdump/Wireshark

Monitor network traffic for host activity:

sudo tcpdump -i eth0 -n 'arp or icmp'

Passive Network Mapping

Tools like p0f can identify hosts and OS from passive traffic analysis:

sudo p0f -i eth0

When to Use Each Method

  • ICMP Ping: Default method, fastest, but often blocked
  • TCP Probes: When ICMP is filtered, more reliable
  • ARP: Local network only, bypasses all filters
  • UDP Probes: When ICMP and TCP are blocked
  • Passive: Stealthiest, requires network access, slower
Port Scanning