🛡️ Methodology Checklist
- Ping sweep (ICMP):
nmap -sn [CIDR] - ARP scan (LAN only):
sudo nmap -PR -sn [CIDR] - Disable ICMP, use port-based discovery:
nmap -PS22,80,443 -sn [CIDR] - UDP discovery:
nmap -PU [CIDR] - No ping (treat all hosts up):
nmap -Pn [TARGET] - Store live hosts list:
nmap -sn [CIDR] -oG - | grep Up | awk '{print $2}' > hosts.txt - Verify all discovered hosts are within authorised scope
🎯 Operational Context
Think Dumber First: In HTB/CPTS VPN environments, all hosts are alive — skip discovery and go straight to port scanning with
-Pn. For real engagements with large subnets, use TCP SYN probes (-PS80,443,22) when ICMP is blocked. ARP scanning requires L2 adjacency — usearp-scanonly when you’re on the same subnet.
When you land here: New network segment to enumerate. Start with nmap -sn [CIDR] — if ICMP allowed, fast. If not, add TCP probes. Save live host list immediately to file for subsequent targeted scans.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP]/24 -sn -oA tnet | Sweep /24 CIDR — host discovery only, no port scan |
sudo nmap -sn -oA tnet -iL hosts.lst | Host discovery from a target list file |
sudo nmap [TARGET_IP] -sn -oA host -PE --packet-trace | Force ICMP Echo request and trace packets |
sudo nmap [TARGET_IP] -sn --reason | Show why Nmap considers host alive |
sudo nmap [TARGET_IP] -sn -PE --disable-arp-ping --packet-trace | Disable ARP, force ICMP discovery |
sudo nmap -sn -PE -PP -PS21,22,23,25,80,113,443,31339 -PA80,113,443,10042 --source-port 53 [TARGET_IP] | ”Kitchen Sink” scan — multi-probe discovery for firewall bypass |
sudo nmap -PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 -PU161 --source-port 53 [TARGET_IP] | Optimal 8-probe combination (93.69% success rate) |
🔬 Deep Dive & Workflow
Discovery Decision Tree
- Same subnet / internal LAN? → default
-sn(ARP works) - Remote / VPN / pivot? → ARP fails → try
-sn -PE - ICMP blocked? → try TCP discovery:
-sn -PS22,80,443or-PA80,443 - Still unsure? → force scan anyway:
-Pn+ port scan - Validate “up” via actual service responses, not just discovery pings
Probe Success Rates (Empirical)
| Success Rate | Probe |
|---|---|
| 62.47% | -PE (ICMP Echo — best single probe) |
| 44.17% | -PS443 (TCP SYN to HTTPS) |
| 43.28% | -PA80 (TCP ACK to HTTP) |
| 93.69% | 8-probe combo (see command above) |
Valuable Ports for -PS/-PA Discovery
| Port | Service | Notes |
|---|---|---|
| 80 | HTTP | Ubiquitous, usually allowed |
| 443 | HTTPS | Standard, usually allowed |
| 22 | SSH | Common in corporate envs |
| 3389 | RDP | Windows remote access |
| 53 | DNS | Critical infra, rarely blocked |
Pitfalls
- Parsing normal output with
grep | cutbreaks if hostnames appear — prefer-oG -+awkfor clean IP lists. - ARP scans on LAN are normal — don’t conclude “host is down” if ICMP fails on a local subnet.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| fping/nmap -sn returns no hosts despite confirmed live targets | ICMP filtered at perimeter or VPN | Switch to TCP probe discovery: nmap -PS22,80,443,8080 -PA80 -sn [CIDR] |
| ARP scan returns nothing | Not on same L2 segment (routed network) | ARP is L2 only — works on directly attached subnet; use ICMP/TCP probes for routed discovery |
| Live host found in discovery but port scan finds nothing | Host went down between scans or VPN instability | Re-run discovery; confirm with ping -c 1 [TARGET]; VPN reconnect if many targets disappearing |
nmap -sn shows host up but no response to port scans | All ports filtered by firewall | Use -Pn and verify with --reason flag; try nmap --open -p 80,443 [TARGET] to confirm filtering vs stealth |
| Discovery finds more hosts than in scope | Subnet boundary crossed | Verify CIDR mask; split into /26 or /27 subnets; document out-of-scope hosts but do not target them |
📝 Reporting Trigger
Finding Title: (Host discovery is a prerequisite — document all discovered live hosts in the scope confirmation section of the report. Flag any hosts found outside the agreed scope for immediate client notification.)