Simple ICMP Host Discovery with Nmap

The other day I needed to rapidly scan a range of IP addresses for hosts that responded to ICMP echo requests. I also needed the responding IP addresses to be in a simple list format (with a single IP per line).

While there are many ways to do this I needed something quick (only had about 3 mins). Now I’m not sure exactly why, but doing this from my Kali VM (virtualbox) generated some false positives and basically told me the entire range responded. I was able to accomplish what I needed using the following:

nmap -sn -n -PE | grep report | cut -d ' ' -f 5

The Nmap options are as follows:

-sn    Do NOT perform a port scan
-n      Do NOT perform name resolution
-PE    Send a single ICMP echo request to each target

The rest of the command should be fairly self explanatory and this is a sample of the output

root@kali~# nmap -sn -n -PE | grep report | cut -d ' ' -f 5

Simple, quick, clean, and reasonably non-disruptive / stealthy.

I hope someone else finds this useful if they are ever in a similar situation.