Nmap is popular tool used by pentesters, system administrators and network administrators. Nmap provides a lot of features for free. In this tutorial, we will look host discovery features and options of nmap.

Discover with Ping Scan

One of the basic usages for Host discovery is Ping scan. Ping uses ICMP protocol to communicate with targets. Targets generally responses Ping r ICMP requests which show the remote system is up. In some cases, a firewall can block Ping or ICMP packets where we can not get remote system status.

$ nmap -sP 192.168.1.1

As we can see from the result that 1 IP address or Host is up.

Discover with ARP Scan or ARP Ping

Ethernet or Mac is a protocol used to communicate between host in a network. If the target is in the same network segment with us we can scan remote systems with ARP scan. ARP scan will send ARP request to the IP addresses and if remote systems respond to this ARP requests this means it is up. This is the most reliable Host scan technique for the local network segment. This can not be prevented from regular firewalls.

$ nmap -PR 192.168.1.1

Discover with Port Scan

Another useful technique is port scan. If the target has enabled Firewall and not in the same network with us we can use some port scan to detect Host status. We will provide generic ports numbers where the host will answer our request if it is up. We will scan ports 22,23,80,139,445,3389,8080  to detect remote host.

$ nmap -p 22,23,80,139,445,3389,8080 192.168.1.1

Bash Script To List Live IP Addresses

If we only want IP addresses and clear other text data we can use some scripting for this. We will use grep and sort commands to filter only IP addresses.

$ nmap -p 22,23,80,139,445,3389,8080 192.168.1.0/24 | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

We can also redirect this output into a file like below.

$ nmap -p 22,23,80,139,445,3389,8080 192.168.1.0/24 | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > ip-list.txt