NMAP GUIDE

Network Discovery

Exploring the attack surface and mapping the environment.

Network Discovery is the process of identifying active hosts on a network. Think of it like knocking on a door to see who is home, but with network devices. This is the first step before you can start to scan what services are accessible on a host and test those for vulnerabilities and misconfigurations.

During an engagement you might find forgotten hosts and those can be the point of entry to the network and you can use them to pivot to other hosts or networks.

The most common way to scan a network for active hosts is to send ICMP echo requests, but these days, that might not work as many devices are configured to not respond to those, but you should run this is a first scan during a network assessment.

When you run such scan, you scan a network range and you need to set the `-sn` option to disable port scanning and the `-PE` option to tell nmap to use an ICMP echo request.
For the sake of experimenting, try this command to scan your local network: 

      
      ❯ nmap -sn -PE 192.168.1.0/24
      Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 17:45 -0100
  Nmap scan report for _gateway (192.168.1.1)
      Host is up (0.00085s latency).
      Nmap scan report for 192.168.1.2
      Host is up (0.0022s latency).
      Nmap scan report for 192.168.1.30
      Host is up (0.038s latency).
      Nmap scan report for 192.168.1.31
      Host is up (0.033s latency).
      Nmap scan report for 192.168.1.46
      Host is up (0.0039s latency).
      Nmap scan report for 192.168.1.67
      Host is up (0.0026s latency).
      Nmap scan report for 192.168.1.97
      Host is up (0.0069s latency).
      ...
      Nmap done: 256 IP addresses (17 hosts up) scanned in 10.83 seconds

You will probably see a similar result to what I get, because all mobile phones, smart TVs and whatnot are connected to your local network.

You can also add the --reasonflag to see why nmap returns up or down for a given host: 

      
      ❯ sudo nmap -sn -PE 192.168.1.1 --reason
      Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 17:12 -0100
      Nmap scan report for _gateway (192.168.1.1)
      Host is up, received arp-response (0.00067s latency).
      MAC Address: 74:24:9F:67:BF:96 (Tibro)
      Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

As you can see, I received and arp-response, because nmap uses arp by default on my system, you can force it to use ICMP with the --disable-arp-ping flag, but arp is usually more reliable.

If you run the same command against a host that is down you will see a similar result: 

      
      ❯ sudo nmap -sn -PE 192.168.1.3 --reason
      Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 17:15 -0100
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 1.55 seconds

As I mentioned, these days ICMP echo might be blocked on hosts, but nmap offers other ways to check if a host is live. One such option is a TCP SYN ping with the -PS option. This is basically sending an empty TCP packet with the SYN flag set, by default on port 80, but you can specify the port ot ports to target with -PS22-25 for instance.