Browse Hacknotes

Host Discovery

December 28, 2025

Techniques for identifying active systems.

On this page

IPv4 Discovery

Ping Sweep (Nmap)

Perform a basic host discovery scan across a subnet and extract live hosts:

nmap -sn $RHOST/24 -oG - | awk '/Up$/{print $2}' > output.scan
  • -sn disables port scanning and performs host discovery only
  • Outputs a list of responsive hosts to output.scan
  • Relies on ICMP echo requests
  • Use CIDR notation (e.g., /24 for 256 hosts, /16 for 65,536 hosts)

Scan specific IP range:

nmap -sn 192.168.1.1-254 -oG - | awk '/Up$/{print $2}' > output.scan

TCP-Based Host Discovery

When ICMP is blocked, use TCP SYN or ACK probes against common ports to identify live hosts:

nmap -sn -PS22,80,443 $RHOST/24

nmap -sn -PA80,443 $RHOST/24
  • -PS TCP SYN probe
  • -PA TCP ACK probe
  • Specify common ports likely to be open (22, 80, 443, 135, 139, 445)

UDP-based host discovery:

nmap -sn -PU53,161 $RHOST/24
  • -PU UDP probe
  • Useful when both ICMP and TCP are filtered

ICMP Advanced Probes

Use different ICMP message types when standard ping is blocked:

nmap -sn -PP $RHOST/24  # ICMP timestamp request

nmap -sn -PM $RHOST/24  # ICMP address mask request

Fping

Fast parallel ping tool for host discovery:

fping -a -g $RHOST/24 2>/dev/null
  • -a show only alive hosts
  • -g generate target list from network range
  • Faster than sequential ping

Scan from file:

fping -a < hosts.txt

Hping3

Advanced packet crafting tool for custom probes:

hping3 -1 $RHOST  # ICMP ping

hping3 -S -p 80 $RHOST  # TCP SYN to port 80

hping3 -2 -p 161 $RHOST  # UDP to port 161
  • -1 ICMP mode
  • -S SYN flag
  • -2 UDP mode
  • Useful for firewall testing and custom probe crafting

Masscan

Ultra-fast host discovery and port scanning:

masscan $RHOST/24 -p0 --rate=1000
  • -p0 ping scan (host discovery only)
  • --rate packets per second (adjust based on network)
  • Much faster than nmap but less accurate

Netdiscover Scan

Passive and active ARP-based host discovery. Useful when ICMP is blocked, but requires being on the same L2 segment:

sudo netdiscover -i eth0

Active scan:

sudo netdiscover -r $RHOST/24 -i eth0

Passive scan (stealth):

sudo netdiscover -p -i eth0

ARP Scan

Actively enumerate hosts on the local network using ARP requests and bypass ICMP restrictions:

arp-scan -l

Scan specific network:

arp-scan $RHOST/24

Interface selection:

arp-scan -I eth0 -l

IPv6 Discovery

Nmap IPv6 Host Discovery

nmap -6 -sn $RHOSTv6/64
  • -6 enable IPv6 scanning
  • Use IPv6 CIDR notation (typically /64 for subnets)

Ping6

ping6 -c 3 $RHOSTv6

Passive Discovery

Passive discovery techniques listen to network traffic without sending probes:

Tcpdump/Wireshark

Monitor network traffic for host activity:

sudo tcpdump -i eth0 -n 'arp or icmp'

Passive Network Mapping

Tools like p0f can identify hosts and OS from passive traffic analysis:

sudo p0f -i eth0

When to Use Each Method

  • ICMP Ping: Default method, fastest, but often blocked
  • TCP Probes: When ICMP is filtered, more reliable
  • ARP: Local network only, bypasses all filters
  • UDP Probes: When ICMP and TCP are blocked
  • Passive: Stealthiest, requires network access, slower
Port Scanning