Host Discovery
You may have hundreds or thousands of IPs in scope, especially after expanding CIDRs. Full port scanning all of them is wasteful — most won’t be up. Host discovery is a fast first pass to find the live ones, so the expensive recon phase only targets hosts that exist.
Expand CIDRs to addresses
First, turn any CIDR ranges into individual addresses so you can scan and track
them per-host. nmap -sL (“list scan”) expands ranges without sending a single
packet:
# IPv4
nmap -sL -n -iL recon/ips/scope-combined.txt \
| awk '/report for/{print $NF}' \
| sort -u > recon/ips/expanded-ipv4.txt
# IPv6 (if in scope)
nmap -6 -sL -n -iL recon/ips/scope-combined.txt \
| awk '/report for/{print $NF}' \
| sort -u > recon/ips/expanded-ipv6.txt
Smart ping sweep with nmap
A plain ICMP ping sweep misses hosts that block ICMP, which is most hardened hosts. The trick Arsenic uses is to probe the most popular ports for liveness on top of ICMP, so a host that drops ping but answers on tcp/443 still shows up.
Build the popular-port lists straight from nmap’s own frequency data:
TOP=30 # top-N most common ports
TCP=$(sort -r -k3 /usr/share/nmap/nmap-services | awk '/\/tcp/{print $2}' \
| cut -d/ -f1 | head -n $TOP | paste -sd,)
UDP=$(sort -r -k3 /usr/share/nmap/nmap-services | awk '/\/udp/{print $2}' \
| cut -d/ -f1 | head -n $TOP | paste -sd,)
Then sweep with multiple probe types — ICMP echo + timestamp, TCP ACK/SYN to the popular ports, and UDP to its popular ports:
sudo nmap -sn -n \
-PE -PP \
-PA"$TCP" -PS"$TCP" -PU"$UDP" \
--randomize-hosts --scan-delay 50ms \
-T4 \
-iL recon/ips/expanded-ipv4.txt \
-oA recon/ips/host-discovery-ipv4
# Extract the live hosts
awk '/Up$/{print $2}' recon/ips/host-discovery-ipv4.gnmap \
| sort -u > recon/ips/alive.txt
What the flags do:
-sn— host discovery only, no port scan.-PE -PP— ICMP echo + timestamp requests.-PA<ports>/-PS<ports>— TCP ACK / SYN probes to popular ports (gets through stateful firewalls that drop ICMP).-PU<ports>— UDP probes.--randomize-hosts/--scan-delay— a little quieter and gentler.-T4— timing; drop to-T3or lower for fragile/monitored networks.
Faster alternative: naabu
naabu can do liveness + a fast
port pass in one step, and it’s nice for large ranges:
naabu -l recon/ips/expanded-ipv4.txt -top-ports 100 -silent \
| cut -d: -f1 | sort -u | tee recon/ips/alive.txt
Resolve names ↔ live IPs
Cross-reference your resolved domains with the live IP list so you know which hostnames sit on which live host. One IP often serves many vhosts — you want to scan the IP once but remember every name pointing at it (it matters for HTTP vhost routing in recon).
The output of this phase — recon/ips/alive.txt plus the per-host name mapping —
is the target list for Recon.