Host Discovery

Find which IPs in scope are actually alive before you spend time on full port scans.

You may have hundreds or thousands of IPs in scope, especially after expanding CIDRs. Full port scanning all of them is wasteful — most won’t be up. Host discovery is a fast first pass to find the live ones, so the expensive recon phase only targets hosts that exist.

Expand CIDRs to addresses

First, turn any CIDR ranges into individual addresses so you can scan and track them per-host. nmap -sL (“list scan”) expands ranges without sending a single packet:

# IPv4
nmap -sL -n -iL recon/ips/scope-combined.txt \
  | awk '/report for/{print $NF}' \
  | sort -u > recon/ips/expanded-ipv4.txt

# IPv6 (if in scope)
nmap -6 -sL -n -iL recon/ips/scope-combined.txt \
  | awk '/report for/{print $NF}' \
  | sort -u > recon/ips/expanded-ipv6.txt

Smart ping sweep with nmap

A plain ICMP ping sweep misses hosts that block ICMP, which is most hardened hosts. The trick Arsenic uses is to probe the most popular ports for liveness on top of ICMP, so a host that drops ping but answers on tcp/443 still shows up.

Build the popular-port lists straight from nmap’s own frequency data:

TOP=30   # top-N most common ports
TCP=$(sort -r -k3 /usr/share/nmap/nmap-services | awk '/\/tcp/{print $2}' \
      | cut -d/ -f1 | head -n $TOP | paste -sd,)
UDP=$(sort -r -k3 /usr/share/nmap/nmap-services | awk '/\/udp/{print $2}' \
      | cut -d/ -f1 | head -n $TOP | paste -sd,)

Then sweep with multiple probe types — ICMP echo + timestamp, TCP ACK/SYN to the popular ports, and UDP to its popular ports:

sudo nmap -sn -n \
  -PE -PP \
  -PA"$TCP" -PS"$TCP" -PU"$UDP" \
  --randomize-hosts --scan-delay 50ms \
  -T4 \
  -iL recon/ips/expanded-ipv4.txt \
  -oA recon/ips/host-discovery-ipv4

# Extract the live hosts
awk '/Up$/{print $2}' recon/ips/host-discovery-ipv4.gnmap \
  | sort -u > recon/ips/alive.txt

What the flags do:

  • -sn — host discovery only, no port scan.
  • -PE -PP — ICMP echo + timestamp requests.
  • -PA<ports> / -PS<ports> — TCP ACK / SYN probes to popular ports (gets through stateful firewalls that drop ICMP).
  • -PU<ports> — UDP probes.
  • --randomize-hosts / --scan-delay — a little quieter and gentler.
  • -T4 — timing; drop to -T3 or lower for fragile/monitored networks.

Faster alternative: naabu

naabu can do liveness + a fast port pass in one step, and it’s nice for large ranges:

naabu -l recon/ips/expanded-ipv4.txt -top-ports 100 -silent \
  | cut -d: -f1 | sort -u | tee recon/ips/alive.txt

Resolve names ↔ live IPs

Cross-reference your resolved domains with the live IP list so you know which hostnames sit on which live host. One IP often serves many vhosts — you want to scan the IP once but remember every name pointing at it (it matters for HTTP vhost routing in recon).

The output of this phase — recon/ips/alive.txt plus the per-host name mapping — is the target list for Recon.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)