Skip to content

Ethical Hacking – Host Discovery

Ethical Hacking is a skill made up of parts, and in this part we will take a look at Host Discovery. We will take what we have learned from our Reconnaissance section and focus the results into this Host Discovery section. If we look at the Reconnaissance stage as high level, where we are only looking at our target from a distance, now its time to look step closer to the target and do some deeper discovery. We will scan ip networks to identify active hosts. Once an active host is found we can then proceed with a Port Scan and then on to Enumeration stage with those results to identify weakness.

Although the learning is broken down into stages that seem to go from left to right. Sometimes after a interesting discovery the Ethical Hacker needs to step back into Reconnaissance mode to progress. This will become clearer.

The Ethical Hacker must try to learn by doing. So for some of these I will use examples that will include some will CTF Challenges which are a perfectly legal ways of practising to hone your skills.

So lets jump in…

Table of Contents

Requirements for Ethical Hacking

Unfortunately Ethical Hacking is not just something you can jump into. If becoming an Ethical Hacker is something you want to achieve, then it it requires some pre-existing skills.

  • CCNA level Network skills.
    • The Ethical Hacker needs to understand TCP/IP protocols,
    • Needs to understand how Network ports work,
    • They needs to a solid foundation in sub-netting,
  • System Administrator Linux Skills,
    • Most of the tools for Ethical Hacking are used on Linux Platforms such as Kali Linux or (my personal favourite) BlackArch,
    • Spinning up Docker Containers,
    • Super familiarity of the Command Line interface,
  • Scripting
    • Good working knowledge of Shell Scripting
    • Excellent working knowledge of Python

The above list is not 100% required and the budding Ethical Hacker can learn as they go. But it makes the learning process a whole lot easier.

Host Discovery

IP (ipv4 in this case) networks contain unique individual addresses for Servers, Routers, Switches, Printers, Security Cameras, Personal Computers, etc. Maybe even in this age of IOT (Internet of Things) there are smart plugs, Google and Alexa devices on the network.

The role of the Ethical Hacker during the Host Discovery is to,

  • Scan down these IP Networks,
  • Identify used IP address,
  • Run a Port Scan on each of these IP Addresses,
  • Enumeration of services running on these ports,

When Scanning down Networks for Usable IP addresses there are a number of approaches. As an Ethical Hacker we have (or should have) permissions to scan the networks we are going to target. However on the the other hand the Hacker does not have permissions. The Hacker requires Stealth to proceed, he doesn’t want to trigger any alarms. Lets take a look at both these approaches.

Scanning Tools

There are many tools to scan down networks and there is only one worth talking about. “nmap”, it’s the best command line tool for scanning down networks and finding the open ports within those networks. There are other free alternatives (and some commerical commercial) that can do parts of nmap better than nmap can but as nmap is a very complete Host Discovery tool and its is better to learn and master it as one of the first steps on learning the process of Ethical Hacking.

Types of Scans

Below you will find examples for Ping and ARP, Host Discovery scans. Back in the day all you had to do was send and Ping (ICMP) packet to a host and you could quickly identify if a host was up. Nowadays, network administrators tend to block these packets on the firewall and the results are less reliable.

When doing host discovery scans you have to always include the “-sn” option for nmap. This prevents it from doing a port scan on any hosts if finds. At this stage its wise to be not so noisy and do Skip the port scans. So for now lets only focus on active IP address scan.

Reverse DNS Scan

A useful scan when trying to do Host Discovery is a Reverse DNS scan. When nmap does such a scan it is very stealthy as it does not send any probes to the targets. This allows for a potential list of active hosts without scanning down the network range and not risking detection.

nmap -sL --dns-server
nmap dns only scan

The above scan did the following.

  • Scanned all hosts in the range form to,
  • Sent no probes to the target hosts in the range,
  • Used a dns server (–dns-server)

This scan resulted in a nice number of hosts are likely active on the network and subject to deeper scans.

ARP Neighbour Host Discovery Scan

ARP ping scans are the most effective way of detecting hosts in LAN networks. Often when scanning networks many of the ip address are not in use and if using a Ping scan the OS must try to figure out what the hardware address is. This can be slow and problematic. ARP scans are much faster and more reliable than Ping based scans.

To begin an ARP scan for host discovery for the subnet “” and not to check for any open ports. Run the following command.

nmap -PR -sn
nmap scan results

Ping (ICMP) Host Discovery

When run with just the “-PE -sn” options, then nmap does a ping sweep. This allows for light reconnaissance for a target network. The host discovery of this option if run as the root user has 4 parts.

  1. ICMP echo request,
  2. TCP SYN to ports 443, T
  3. PC ACK to port 80
  4. ICMP timestamp request.

When executed by an non root user only the TCP SYN packets are sent.

sudo nmap -sn -PE
Ethical Hacking Host Discovery

Passive Host Discovery

If the Ethical hacker has secured access to the network, instead of going looking for Active IP addresses, they can runs a Passive host dicovery. This works by sitting on the network and capturing and ARP requests that come in. Due to the nature of ARP requests they are broadcast to all hosts. This way the Ethical Hacker can capture a list of active targets by just waiting. We do not use the nmap command for this but we use the “netdiscover” command.

sudo netdiscover -i eth0 -r -p

When run, the command spawns and keeps running while registering and logging ARP requests.

Passive Scan Results

These are the results of just letting it run for a few hours on a home wifi network.

Results and Next Steps

No matter which of the previous scans you did it should always result in some IP addresses. In some of the cases above, this resulted in 3 active IP addresses being found. These can be documented and forwarded onto the next stage. Port scanning!

Wrap Up

Host Discovery is a key stage in the process of Ethical Hacking. Its at this stage we learn to map out the environment and discover potential targets for port scanning.

Be aware that nmap scans like ARP and Ping scans can be noisy and can be detected by “Intrusion detection and prevention systems“. However if the system is connected to the internet then you can expect to see these types of scans on a regular basis in your logs

For more information on Host Discovery Scans for Ethical Hacking take a look at the Official nmap documentation page on the topic.

Published inGetting Started With CTF ChallengesIT & SecurityPen-TestingThe Phases of Ethical Hacking