Nmap: The Basics

Host discovery is the first phase of any network reconnaissance, where you identify which IP addresses on a network are actively in use. Nmap's ping scan (-sn flag) performs this task by sending various probe types to determine if hosts are online without performing a full port scan. This is faster than port scanning and less likely to trigger intrusion detection systems, making it ideal for initial network mapping. The ping scan doesn't just send ICMP echo requests like the traditional ping command. By default, Nmap uses multiple techniques: ICMP echo requests, TCP SYN packets to port 443, TCP ACK packets to port 80, and an ICMP timestamp request. This multi-pronged approach increases the chance of detecting live hosts, as many firewalls block ICMP but allow certain TCP traffic. The scan reports which hosts responded, giving you a list of active targets for further investigation. Host discovery can be customized based on your needs and network conditions. The '-Pn' flag skips host discovery entirely and assumes all hosts are online, useful when you know hosts are up but blocking ping probes. Conversely, '-PR' uses ARP requests for discovery on local networks, which is faster and more reliable than IP-level probes since ARP typically can't be blocked on the same network segment. Understanding host discovery is crucial for both offensive and defensive security. Attackers use it to map networks before launching attacks, while defenders use it to inventory their network assets and identify unauthorized devices. System administrators rely on host discovery for network management and troubleshooting. The ability to efficiently discover and map network hosts is a fundamental skill for anyone working with network security or administration.