Simple ICMP Host Discovery with Nmap

The other day I needed to rapidly scan a range of IP addresses for hosts that responded to ICMP echo requests. I also needed the responding IP addresses to be in a simple list format (with a single IP per line).

While there are many ways to do this I needed something quick (only had about 3 mins). Now I’m not sure exactly why, but doing this from my Kali VM (virtualbox) generated some false positives and basically told me the entire range responded. I was able to accomplish what I needed using the following:

nmap -sn -n -PE 192.168.0.0/24 | grep report | cut -d ' ' -f 5

The Nmap options are as follows:

-sn Do NOT perform a port scan
-n Do NOT perform name resolution
-PE Send a single ICMP echo request to each target

The rest of the command should be fairly self explanatory and this is a sample of the output

root@kali~# nmap -sn -n -PE 192.168.0.0/24 | grep report | cut -d ' ' -f 5 192.168.0.1 192.168.0.4 192.168.0.8 192.168.0.200

Simple, quick, clean, and reasonably non-disruptive / stealthy.

I hope someone else finds this useful if they are ever in a similar situation.

Pros

MIT(R)M Attacks – Your middle or mine?

Quick Connection Info with ‘netstat’ (Linux)

Phishing Attacks & Defense: Understanding “Quishing”

Simple ICMP Host Discovery with Nmap

Related Posts