Host Discovery

Two steps to basic network reconnaissance.

- Host Discovery
- Service Discovery (Port Scanning)


Host Discovery

  • First step to network recon. Goal is to reduce a large set of IP ranges into a list of active or interesting hosts. (A network can accomdate 16777200 hosts)
  • Port scanning is loud and also expensive on time and resources. More targets; More chances of being caught by an IDS.
  • Stringent narrowing down might lead to missing interesting targets. Liberal narrowing down can result in large set of machines to scan. Strike a balance based on the requirements.


  • Send an empty TCP packet with only SYN bit set
  • SYN/ACK or RST in response indicates that a machine is up and running
>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") ) is alive!


  • Send an empty TCP packet with only ACK bit set
  • Unsolicited ACK packets should be responded with RST which reveals a machine
  • SYN ping and ACK ping might seem redundant but most of the stateless firewalls won’t filter unsolicited ACK packets so it’s a better approach to use both ping tecnhiques
>>> ans, unans = sr(IP(dst='')/TCP(dport=80, flags='A'))
Begin emission:
Finished to send 7 packets.
Received 25 packets, got 1 answers, remaining 6 packets
>>> ans.summary(lambda(s,r): r.sprintf('{IP: %IP.src% is alive}')) is alive

UDP Ping

  • Send UDP packet to the given ports with or without payload, though protocol specific payload makes the scan more effective
  • Choose a port that’s most likely closed (Open UDP ports might recieve empty packets but ignore them)
  • ICMP port unreachable signifies that the machine is up

IP Protocol ping

  • Send multiple packets with different protocol numbers set in their IP header, append proper protocol headers
  • Look for either responses using the same protocol as a probe, or ICMP protocol unreachable, either of the responses will signify a machine is alive

ARP Ping

  • ARP Ping is employed when discovering active hosts on the same network/LAN
  • Faster and reliable because it operates on Layer 2 by using only ARP
  • ARP is the backbone protocol for any Layer 2 communication so always employ ARP ping when discovering hosts on local network
  • ARP doesn’t exist in IPv6 standard. For the equivalent, use Neighbor Discovery Protocol techniques instead.
>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=""),timeout=2)
Begin emission:
**Finished to send 256 packets.

Received 2 packets, got 2 answers, remaining 254 packets
>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )


  • ICMP scan involves the standard packets sent by the ubiquitous ping program
  • Send an ICMP type 8 (echo request) packet to the target IP, a ICMP type 0 (echo reply) indicates that the target is alive
  • Unfortunately, many hosts and firewalls now block these packets so a basic ICMP scan is unreliable
  • ICMP also supports timestamp request(13), and address mask request(17) which can reveal the availabilty of a machine
>>> ans,unans=sr(IP(dst="")/ICMP())
Begin emission:
Finished to send 12 packets.
Received 170 packets, got 1 answers, remaining 11 packets
>>> ans.summary( lambda(s,r) : r.sprintf("{IP: %IP.src% is alive}") ) is alive

Exercise time - network sweeping

Please solve Exercise 1 - Misc exercises