Host Discovery Techniques via Scanning - Part 1

To discover the active/live hosts in the network, host discovery techniques can be used. As an ethical hacker, you must be aware of the various types of host discovery techniques. 

ARP Ping Scan

The ARP ping scan sends ARP packets to find all active devices in the IPv4 range, even if their presence is masked by a restrictive firewall. 

If an attacker sends ARP request probes to a target host and receives an ARP response, the host is active. If the destination host is discovered to be inactive, the source host adds an incomplete entry to the destination IP in its kernel ARP database. Check How ARP is used for Spoofing Attacks

nmap -sn -PR <IP>

  • -sn: disable port scan. ARP ping scan is default in nmap. To disable and preform oterh ping scans, use --disable-arp-ping.


  • ARP ping scanning is thought to be more efficient and accurate than other host discovery methods.
  • ARP ping scan handles ARP requests, retransmission, and timeouts automatically at its discretion.
  • ARP ping scan is useful for system discovery when scanning huge address spaces.
  • ARP ping scan can show a device's response time or latency to an ARP packet. 

UDP Ping Scan

UDP ping scans are similar to TCP ping scans, except that UDP packets are sent instead of TCP packets. The default port used by Nmap is 40,125, which is extremely uncommon. Attackers send UDP packets to the target host, and a UDP response indicates that the target host is active. UDP Ping Scan has the advantage of finding systems behind firewalls with tight TCP filtering, while UDP traffic is ignored.  In Zenmap, -PU option is used to perform the UDP ping scan.

TCP SYN Ping Scan

TCP SYN ping scan is used for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. 

An attacker uses this approach by sending the empty TCP SYN flag to begin the three-way handshake. The target host acknowledges with an ACK flag after receiving SYN. When the attacker receives the ACK flag, it checks that the target host is alive and sends the RST flag to terminate the connection.  The -PS option in Zenmap is used to do a TCP SYN ping scan.


  • Because the machines can be scanned concurrently, the scan never encounters a time-out problem while waiting for a response.
  • TCP SYN ping can be used to determine whether or not the host is active without establishing a connection. As a result, logs are not recorded at the system or network level, allowing the attacker to leave no traces for discovery. 

TCP ACK Ping Scan

TCP ACK ping is similar to TCP SYN ping, with slight differences. The attackers use this approach to transmit an empty TCP ACK packet to the target machine. Because there is no prior connection between the attacker and the target host, the target responds with an RST signal to determine the request after receiving the ACK packet. The arrival of this RST packet at the attacker's end confirms that the host is active. 

The -PA option in Zenmap is used to perform a TCP ACK ping scan. 


Both the SYN and ACK packets can be utilised to reduce the likelihood of a firewall bypass. However, because SYN ping packets are the most commonly used pinging technique, firewalls are typically set to block them. In such instances, the ACK probe can be utilised to simply bypass certain firewall rule sets.

IP Protocol Ping Scan

IP Protocol ping is the most recent host discovery option that delivers IP ping packets with any specified protocol number in the IP header. It follows the same format as TCP and UDP ping. This method attempts to send various packets using various IP protocols in the hopes of receiving a response indicating that a host is online. 

You might be interested in, 

We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment