NMAP (Part 4): Network Scanning
This article is part of a series. Check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!
For network scanning, we can use ping sweep to see which IP addresses contain active hosts and which do not.
It can be done through the NMAP -sn switch command. This option tells NMAP not to do a port scan after host discovery.
The default -sn switch command consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80 and an ICMP timestamp request by default. When a privileged user tries to run a scan on a LAN network, ARP requests are used unless --send-ip was specified.
nmap -sn 192.168.0.1–254 or
nmap -sn 192.168.0.0/24
nmap -sn --traceroute google.com microsoft.com
Do keep in mind that most of the organizations block ICMP packets. To get around this configuration, another option is to use -Pn switch command that tells NMAP to not bother pinging the host before scanning it. But, of course, it will potentially take longer time to complete the scan.
nmap -Pn 192.168.0.1–254 or
nmap -Pn 192.168.0.0/24
If you are already on a local network, then you can use ARP request to determine host activity:
C:\Users\XGoay>nmap -sP -PR 192.168.0.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2021–01–23 15:28 Malay Peninsula Standard Time
Nmap scan report for dlinkrouter (192.168.0.1)
Host is up (0.0046s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.106
Host is up (0.16s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.156
Host is up (0.12s latency).
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap scan report for 192.168.0.191
Host is up (0.095s latency).
MAC Address: xx:xx:xx:xx:xx:xx (TwinHan Technology)
Nmap scan report for 192.168.0.111
Host is up.
Nmap scan report for 192.168.0.160
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 17.85 seconds
- -sP: Perform a ping only scan
- -PR: ARP ping
