Host Discovery

nmap -sn 192.168.100.1/24 | grep for | cut -d" " -f5

Before scanning ports, we must identify which hosts are alive. This is the first step in an internal network assessment.

Key Flag: -sn Disable Port Scan. (Formerly known as "Ping Scan"). Tells Nmap to only check if the host is up.

1. Target Selection Methods

Method	Command	Description
Network Range	sudo nmap 10.129.2.0/24 -sn	Scans the entire CIDR range.
IP List	sudo nmap -sn -iL hosts.lst	Scans targets listed in a file (hosts.lst).
Multiple IPs	sudo nmap -sn 10.1.1.1 10.1.1.2	Scans specific space-separated IPs.
IP Octet Range	sudo nmap -sn 10.1.1.1-20	Scans a range within the last octet.

Tip: Always save scans (-oA) for documentation and comparison.
Examples
sudo nmap 10.129.2.0/24 -sn -oA output
sudo nmap -sn -oA output -iL hosts.lst
sudo nmap -sn -oA output 10.1.1.1 10.1.1.2
sudo nmap -sn -oA output 10.1.1.1-20
And to save the output to specific directory: sudo nmap 10.129.2.0/24 -sn -oA /path/to/directory/output

Examples
sudo nmap 10.129.2.0/24 -sn -oA output
sudo nmap -sn -oA output -iL hosts.lst
sudo nmap -sn -oA output 10.1.1.1 10.1.1.2
sudo nmap -sn -oA output 10.1.1.1-20

2. Scan Network Range

Scans the entire CIDR range to find live hosts.

sn: Disables port scan (Ping Scan).

oA tnet: Save output in all formats with name "tnet".

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

3. Scan IP List (iL)

Useful when provided a specific list of targets (e.g., hosts.lst).

The List:

cat hosts.lst

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

The Scan:

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

Note: Missing hosts likely ignored ICMP echo requests (firewall blocks).

4. Scan Multiple IPs

You can specify individual IPs or octet ranges.

List Specific IPs:

sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

Range in Octet:

sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

🔬 Discovery Logic: ARP vs. ICMP

This case is for the internal networks (If you were working on the same network). nmap uses arp (internal) or icmp (internal/external networks).
Using icmp is more stealthy, so if you were the same network internal you may want to use ICMP.
To use the ICMP you must enforce stopping the ARP.

On local networks (same subnets), Nmap defaults to ARP (faster/reliable) even if you ask for ICMP (-PE). You must explicitly disable ARP to force ICMP.

1. Default Behavior (ARP preference)

Even with -PE (ICMP Echo), Nmap uses ARP on local LANs (same subnets).

-packet-trace: Shows traffic. Notice ARP who-has is sent, not ICMP.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up (0.023s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

2. Confirming with -reason

Nmap confirms the host is marked "up" because of an arp-response.

sudo nmap 10.129.2.18 -sn -oA host -PE --reason

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up, received arp-response (0.028s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

3. Forcing ICMP (-disable-arp-ping)

To test firewall rules or simulate external scanning, disable ARP.

Notice ICMP Echo request is now sent.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

📝 Host Discovery Cheat Sheet

Flag	Name	Function
-sn	Ping Scan	Disables port scanning; only checks if hosts are alive.
-oA <name>	Output All	Saves scan results in three formats (normal, grepable, XML).
-iL <file>	Input List	Scans targets listed in a text file.
-PE	ICMP Echo	Uses ICMP Echo requests (standard Ping) for discovery.
--packet-trace	Trace	Displays all packets sent and received (debugging).
--reason	Reason	Displays why Nmap marked a host as up/down/filtered.
--disable-arp-ping	No ARP	Forces Nmap to stop using ARP for local discovery (forces ICMP).

Method

Command

Description

Network Range

sudo nmap 10.129.2.0/24 -sn

Scans the entire CIDR range.

IP List

sudo nmap -sn -iL hosts.lst

Scans targets listed in a file (hosts.lst).

Multiple IPs

sudo nmap -sn 10.1.1.1 10.1.1.2

Scans specific space-separated IPs.

IP Octet Range

sudo nmap -sn 10.1.1.1-20

Scans a range within the last octet.

Examples
sudo nmap 10.129.2.0/24 -sn -oA output
sudo nmap -sn -oA output -iL hosts.lst
sudo nmap -sn -oA output 10.1.1.1 10.1.1.2
sudo nmap -sn -oA output 10.1.1.1-20

Examples

sudo nmap 10.129.2.0/24 -sn -oA output

sudo nmap -sn -oA output -iL hosts.lst

sudo nmap -sn -oA output 10.1.1.1 10.1.1.2

sudo nmap -sn -oA output 10.1.1.1-20

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2 RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF Nmap scan report for 10.129.2.18 Host is up (0.023s latency). MAC Address: DE:AD:00:00:BE:EF Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2 RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF Nmap scan report for 10.129.2.18 Host is up, received arp-response (0.028s latency). MAC Address: DE:AD:00:00:BE:EF Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ] RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ] Nmap scan report for 10.129.2.18 Host is up (0.086s latency). MAC Address: DE:AD:00:00:BE:EF Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Flag

Name

Function

-sn

Ping Scan

Disables port scanning; only checks if hosts are alive.

-oA <name>

Output All

Saves scan results in three formats (normal, grepable, XML).

-iL <file>

Input List

Scans targets listed in a text file.

-PE

ICMP Echo

Uses ICMP Echo requests (standard Ping) for discovery.

--packet-trace

Trace

Displays all packets sent and received (debugging).

--reason

Reason

Displays why Nmap marked a host as up/down/filtered.

--disable-arp-ping

No ARP

Forces Nmap to stop using ARP for local discovery (forces ICMP).

Host Discovery

1. Target Selection Methods

2. Scan Network Range

Additional Info

3. Scan IP List (iL)

The List:

The Scan:

4. Scan Multiple IPs

List Specific IPs:

Range in Octet:

🔬 Discovery Logic: ARP vs. ICMP

1. Default Behavior (ARP preference)

2. Confirming with -reason

3. Forcing ICMP (-disable-arp-ping)

📝 Host Discovery Cheat Sheet

1. Target Selection Methods

2. Scan Network Range

Additional Info

3. Scan IP List (iL)

The List:

The Scan:

4. Scan Multiple IPs

List Specific IPs:

Range in Octet:

🔬 Discovery Logic: ARP vs. ICMP

1. Default Behavior (ARP preference)

2. Confirming with -reason

3. Forcing ICMP (-disable-arp-ping)

📝 Host Discovery Cheat Sheet