How to find live hosts on my network?

  • I am trying to find the live hosts on my network using nmap. I am scanning the network in Ubuntu using the command sudo nmap -sP 192.168.2.1/24. However, I am unable to find the live hosts. I just get the network address of my own PC as live. When I see the DHCP client list through my browser (my router can be accessed via browser using my network IP), I get around 10 live hosts on the network. Can anyone tell me the reason why this could be happening and how do I find the live hosts on my network?

    I usually do this `nmap -sn 192.168.2.0/24`, sn= disable port scan.

    @HamZaDzCyberDeV Yes, `-sn` is the new standard argument, but it used to be `-sP`, so @TheRookierLearner's command should still work.

    `nmap -PR 10.0.1.0/24 -sn` will perform an ARP sweep of the network. NMAP's website has detailed information on nmap host discovery. I highly recommend you use this as a reference.

    @NadeemDouba `nmap` will automatically detect when it's on a LAN and choose an ARP sweep for its probes. This will be the case even if the user specifies different probes types like `-PE` or `-PS`. In other words, the `-PR` is unnecessary if the OP is actually on the LAN.

    Just want to note that running nmap without `sudo` can give less results than expected, see https://security.stackexchange.com/q/74493/124138.

  • Shurmajee

    Shurmajee Correct answer

    8 years ago

    This is the simplest way of performing host discovery with nmap.

    nmap -sP 192.168.2.1/24
    

    Why does it not work all the time ?

    When this command runs nmap tries to ping the given IP address range to check if the hosts are alive. If ping fails it tries to send syn packets to port 80 (SYN scan). This is not hundred percent reliable because modern host based firewalls block ping and port 80. Windows firewall blocks ping by default. The hosts you have on the network are blocking ping and the port 80 is not accepting connections. Hence nmap assumes that the host is not up.

    So is there a workaround to this problem?

    Yes. One of the options that you have is using the -P0 flag which skips the host discovery process and tries to perform a port scan on all the IP addresses (In this case even vacant IP addresses will be scanned). Obviously this will take a large amount of time to complete the scan even if you are in a small (20-50 hosts) network. but it will give you the results.

    The better option would be to specify custom ports for scanning. Nmap allows you to probe specific ports with SYN/UDP packets. It is generally recommended to probe commonly used ports e.g. TCP-22 (ssh) or TCP-3389 (windows remote desktop) or UDP-161 (SNMP).

    sudo nmap -sP -PS22,3389 192.168.2.1/24 #custom TCP SYN scan
    sudo nmap -sP -PU161 192.168.2.1/24 #custom UDP scan
    

    N.B. even after specifying custom ports for scanning you may not get an active host. A lot depends on how the host is configured and which services it is using. So you just have keep probing with different combinations.Remember, do not performs scans on a network without proper authorization.

    update: When scanning a network you can never be sure that a particular command will give you all the desired results. The approach should be to start with basic ping sweep and if it doesn't work try guessing the applications that may be running on the hosts and probe the corresponding ports. The idea of using Wireshark is also interesting. You may want to try sending ACK packets.

    nmap -sP -PA21,22,25,3389 192.168.2.1/24 #21 is used by ftp
    

    update two: The flags -sP and -P0 are now known as -sn and -Pn respectively. However the older flags are still found to be working in the newer versions.

    Although I believe that this is due the firewall blocking the ping scans, the above commands didn't help. Even the -P0 flag didn't work.

    I really don't know what's happening but the command `nmap -sP -PS 192.168.2.1/24` is working (the above command is also working; so answer accepted) and that too under Windows. I don't know what's wrong with Ubuntu. May be I need to check the `iptables`.

    one thing that's worth noting is that when you're in the same broadcast domain as the hosts you're scanning, nmap uses ARP instead of ICMP/SYN scanning

    `-P0` does **not** "try to scan all the ports of a system to check if it is up." Instead, it **skips host discovery**, reporting *everything* as up, and performing whatever port scans you have requested on every IP. Also, as @RoryMcCune notes, Nmap should send ARP requests for this type of scan. Use `nmap --iflist` to check what Nmap thinks about your routing table; it's possible that it is confused and not sending the right probes. If you can't get an ARP reply from an IP, you can't send a TCP or UDP packet, either.

    I guess what @Mayank-Sharma meant was not `-P0` but was `-PO` which sends a IGMP, ICMP and IP-in-IP packets and not scan all the ports. However, I'm not sure.

    My apologies. I made a mistake in framing the sentence. I have updated the answer as suggested by @bonsaiviking

    @TheRookierLearner This sort of confusion is why `-P0` was deprecated for `-Pn` to mean the same thing.

    This answer has some errors... for example, this: `If ping fails it tries to send syn packets to port 80 (SYN scan)`. It doesn't work like one after the other, and also it sends an `ACK` not a `SYN`. These are *very different*, especially in terms of firewalls and IDS systems.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM