Skip to content

02. Host Discovery with Nmap

1. Nmap - Host Discovery

Command:

nmap -sn <IP Address or Range>

Explanation:
The -sn option in Nmap performs a "ping scan" to discover live hosts without conducting a full port scan. It sends ICMP echo requests or other probe packets to identify which hosts are active on the specified network.

Options:

  • <IP Address>: A single IP address to scan.
  • <IP Range>: A range of IPs (e.g., 192.168.1.1-254) or subnet (e.g., 192.168.1.0/24).

Example:

nmap -sn 192.168.0.0/24

Output:
Lists all active hosts on the 192.168.0.0/24 subnet.

Use Case:
This is useful when you only want to identify which devices are online without probing for open ports.

2. Netdiscover - ARP-based Network Discovery

Command:

netdiscover -i eth0 -r 192.168.0.1/24

Explanation: Netdiscover is a network reconnaissance tool used to identify live hosts in a network using ARP (Address Resolution Protocol). It is effective on local networks to detect devices even if ICMP (ping) is disabled.

Options:

  • -i eth0: Specifies the network interface to use (eth0 in this example).
  • -r 192.168.0.1/24: Specifies the range or subnet to scan (CIDR notation).

Example:

netdiscover -i wlan0 -r 10.0.0.1/24

Output:
Displays a table with:

  • IP Address: The discovered host's IP.
  • MAC Address: Hardware address of the device.
  • Vendor: Manufacturer of the device based on the MAC address.

Use Case:
Netdiscover is particularly useful for passive or active host discovery in environments where ICMP or other probes are blocked.

Comparison: Nmap vs. Netdiscover

Feature Nmap -sn Netdiscover
Purpose General-purpose host discovery ARP-based host discovery
Protocol Used ICMP, ARP, or other probes ARP
Environment Works on any network (local or remote) Works on local networks only
Output Details IP addresses of live hosts IP, MAC addresses, and device vendors
Use Case Identify active hosts in a wide network Identify devices on a local network

Practical Scenarios

  1. Scan a Local Subnet for Active Devices:

    nmap -sn 192.168.1.0/24

    Result: Identifies all live hosts in the 192.168.1.0/24 subnet.

  2. Detect Devices on a WiFi Network:

    netdiscover -i wlan0 -r 192.168.0.0/24

    Result: Lists all devices connected to the WiFi network, including their IPs and MAC addresses.

Key Points

  1. Nmap: More versatile and works on local and remote networks. Best for network mapping and host discovery.
  2. Netdiscover: Simple and effective for discovering devices on a local network using ARP. Ideal for environments with restricted protocols.
  3. Combination: Using both tools provides a comprehensive view of active devices in a network.

These tools are essential in network reconnaissance and security auditing to identify active hosts and potential targets. Always ensure ethical and legal use.