Host Discovery

Host Discovery

At a Glance

One of the first steps during the network enumeration is to reduce a set of IPs into a list of active or interesting hosts. Depending on if you are inside the network or scanning remotely, how much noise you can make, and your discovery requirements, different tools, and options are available.



Passive discovery relies on monitoring network layer traffic to detect network topology, services, and applications.

As no packets are injected into the network, there is no risk of unintentional service disruption. It is also suitable for finding intermittently offered or protected services often missed by active scanning. 1

netdiscover - ARP 2

sudo netdiscover -p
  • -p: passive mode. It does not send anything, but does only sniff.

p0f - Fingerprinting 3

sudo p0f -p
  • -p: promiscuous mode; by default, it listens only to packet addressed or routed through. On IP-enabled interfaces can be detected remotely.

bettercap 4

net.recon on true


In contrast, active discovery does inject a variety of packets into the network.

It is well suited for open port discovery and fingerprinting. However, these techniques are not without drawbacks. Scans can be invasive, generate too much noise, and in some cases, cause service interruptions due to the type of packets sent.

netdiscover - ARP 2

sudo netdiscover -r
  • -r <range>: scan a given range instead of auto scan.


nmap -sn
  • -sn: No port scan AKA ping scan. 5 Consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default.

nbtscan - NetBIOS 6

sudo nbtscan

bettercap 7

net.probe on true


Refer to External ICMP Scanning



As defined in RFC 792, ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations (as specified in RFC 1122).8 Although it is possible to use ICMP requests to discover if a host is up or not, it is common to find all these packets being filtered, making it an unreliable method.


ping -c 1
  • -c <count>: stops after count replies.

fping 9

fping -g
  • -g, --generate <target>: generates target list. target can be start and end IP or a CIDR address.


nmap -PEPM -sn -n
  • -PE; -PP; -PM: ICMP echo, timestamp, and netmask request discovery probes.
  • -sn: No port scan.
  • -n: No DNS resolution.

Port Discovery

Another commonly used technique is port scanning. It allows you to identify running services, consequently, interesting hosts. See Port Scanning.

  1. Whyte, David. Network Scanning Detection Strategies for Enterprise Networks. Sept. 2008, pp. 12-22 ↩︎

  2. “GitHub - Netdiscover-Scanner/Netdiscover: Netdiscover, ARP Scanner (Official Repository).” GitHub, ↩︎

  3. Zalewski, Michal. “P0f V3.” [Lcamtuf.Coredump.Cx], ↩︎

  4. “Bettercap:: Net.Recon.” Bettercap, ↩︎

  5. “Host Discovery | Nmap Network Scanning.” Nmap: The Network Mapper - Free Security Scanner, ↩︎

  6. “NETBIOS Nameserver Scanner.” Steve Friedl’s Home Page, ↩︎

  7. “Bettercap:: Net.Probe.” Bettercap, ↩︎

  8. Forouzan, Behrouz A. Data Communications and Networking. Huga Media, 2007, pp. 621–630. ↩︎

  9. Schweikert, David. “Fping.” Fping Homepage, ↩︎