NMAP (Part 4): Network Scanning

goay xuan hui
2 min readJan 22, 2021

This article is part of a series. Check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!

For network scanning, we can use ping sweep to see which IP addresses contain active hosts and which do not.

It can be done through the NMAP -sn switch command. This option tells NMAP not to do a port scan after host discovery.

The default -sn switch command consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80 and an ICMP timestamp request by default. When a privileged user tries to run a scan on a LAN network, ARP requests are used unless --send-ip was specified.

nmap -sn 192.168.0.1–254 or
nmap -sn 192.168.0.0/24

nmap -sn --traceroute google.com microsoft.com

Do keep in mind that most of the organizations block ICMP packets. To get around this configuration, another option is to use -Pn switch command that tells NMAP to not bother pinging the host before scanning it. But, of course, it will potentially take longer time to complete the scan.

nmap -Pn 192.168.0.1–254 or
nmap -Pn 192.168.0.0/24

If you are already on a local network, then you can use ARP request to determine host activity:

C:\Users\XGoay>nmap -sP -PR 192.168.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2021–01–23 15:28 Malay Peninsula Standard Time
Nmap scan report for dlinkrouter (192.168.0.1)
Host is up (0.0046s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.106
Host is up (0.16s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.156
Host is up (0.12s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.191
Host is up (0.095s latency).
MAC Address: xx:xx:xx:xx:xx:xx (TwinHan Technology)
Nmap scan report for 192.168.0.111
Host is up.
Nmap scan report for 192.168.0.160
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 17.85 seconds

  • -sP: Perform a ping only scan
  • -PR: ARP ping

--

--

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️