Network Enumeration & Discovery

Quick Reference

# Find all live hosts on subnet
nmap -sn 192.168.1.0/24

# Check ARP cache (recently seen hosts)
ip neigh | grep -E "192.168|10.50"

# Find hosts with specific port open
nmap -p 9090 --open 192.168.1.0/24

# Quick service scan on host
nmap -sV 192.168.1.201

# Full port scan
nmap -p- 192.168.1.201

Host Discovery

Ping Sweep (ARP on Local Network)

# Discover live hosts - no port scan
nmap -sn 192.168.1.0/24

Output

Nmap scan report for router.local (192.168.1.1)
Host is up (0.0023s latency).
Nmap scan report for 192.168.1.201
Host is up (0.012s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.45 seconds

ARP Cache Check

Fastest way to see recently-contacted hosts:

ip neigh

Output

10.50.10.1 dev wlan0 lladdr 52:54:00:a2:7f:78 REACHABLE
192.168.1.1 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE

Filter for specific subnets:

ip neigh | grep -E "192.168|10.50"

ARP Scan (More Reliable for Local)

sudo arp-scan --localnet

sudo arp-scan 192.168.1.0/24

Port Scanning

Find Hosts with Specific Port Open

# Find all hosts with port 9090 open (Cockpit, Prometheus, etc.)
nmap -p 9090 --open 192.168.1.0/24

Output

Nmap scan report for 192.168.1.201
Host is up (0.012s latency).

PORT     STATE SERVICE
9090/tcp open  zeus-admin

Nmap done: 256 IP addresses (4 hosts up) scanned in 28.96 seconds

-sn (ping scan) cannot be combined with -p (port selection). Use -p alone for port-specific scans.

Common Service Port Scans

# SSH servers
nmap -p 22 --open 192.168.1.0/24

# Web servers (HTTP/HTTPS)
nmap -p 80,443 --open 192.168.1.0/24

# Cockpit / KVM management
nmap -p 9090 --open 192.168.1.0/24

# VNC servers
nmap -p 5900-5910 --open 192.168.1.0/24

# RDP servers
nmap -p 3389 --open 192.168.1.0/24

# Database servers
nmap -p 3306,5432,1521,27017 --open 192.168.1.0/24

Full Port Scan

# All 65535 ports (slow but thorough)
nmap -p- 192.168.1.201

# Top 1000 ports (default, faster)
nmap 192.168.1.201

# Top 100 ports (fast)
nmap -F 192.168.1.201

Service Detection

Version Detection

# Detect service versions
nmap -sV 192.168.1.201

Output

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6 (protocol 2.0)
80/tcp   open  http    nginx 1.24.0
9090/tcp open  http    Cockpit web service

OS Detection

# Requires root
sudo nmap -O 192.168.1.201

Aggressive Scan (Version + OS + Scripts)

sudo nmap -A 192.168.1.201

Finding Lost Devices

The KVM You Forgot About

# Cockpit runs on 9090
nmap -p 9090 --open 192.168.1.0/24

IPMI/BMC (Server Management)

# IPMI typically on 623
nmap -p 623 --open 192.168.1.0/24

Printers

# IPP, LPD, JetDirect
nmap -p 631,515,9100 --open 192.168.1.0/24

IoT Devices

# Common IoT ports
nmap -p 80,443,8080,8443,1883,8883 --open 192.168.1.0/24

Multiple Subnets

Scan Multiple Ranges

nmap -sn 192.168.1.0/24 10.50.1.0/24

Scan from File

cat > targets.txt << 'EOF'
192.168.1.0/24
10.50.1.0/24
10.50.10.0/24
EOF

nmap -sn -iL targets.txt

Output Formats

Save Results

# Normal output
nmap -sn 192.168.1.0/24 -oN hosts.txt

# Grepable output (parseable)
nmap -sn 192.168.1.0/24 -oG hosts.gnmap

# XML output
nmap -sn 192.168.1.0/24 -oX hosts.xml

# All formats
nmap -sn 192.168.1.0/24 -oA hosts

Parse Grepable Output

# Extract just IPs
grep "Up$" hosts.gnmap | awk '{print $2}'

# Extract IPs with open ports
grep "/open/" hosts.gnmap | awk '{print $2}'

Speed vs Stealth

Fast Scans

# Aggressive timing
nmap -T4 -p 22,80,443 --open 192.168.1.0/24

# Insane timing (may miss hosts)
nmap -T5 -F 192.168.1.0/24

Slower, More Reliable

# Polite timing
nmap -T2 -sn 192.168.1.0/24

Parallel Scans

# Scan multiple subnets in parallel
nmap -sn 192.168.1.0/24 --min-parallelism 100

Common Errors

Cannot Use -F or -p with -sn

You cannot use -F (fast scan) or -p (explicit port selection) when not doing a port scan
QUITTING!

Fix: Remove -sn when specifying ports:

# Wrong
nmap -sn 192.168.1.0/24 -p 9090 --open

# Correct
nmap -p 9090 --open 192.168.1.0/24

Permission Denied for OS Detection

TCP/IP fingerprinting requires root privileges.

Fix: Use sudo:

sudo nmap -O 192.168.1.201

Quick Recipes

Find All SSH Servers

nmap -p 22 --open 192.168.1.0/24 -oG - | grep "/open/" | awk '{print $2}'

Find All Web Servers

nmap -p 80,443,8080,8443 --open 192.168.1.0/24

Find Hosts Not in DNS

nmap -sn 192.168.1.0/24 | grep "report for" | grep -v "("

Enumerate Everything on a Host

sudo nmap -sV -sC -O -p- 192.168.1.201

Network Enumeration & Discovery

Quick Reference

Host Discovery

Ping Sweep (ARP on Local Network)

ARP Cache Check

ARP Scan (More Reliable for Local)

Port Scanning

Find Hosts with Specific Port Open

Common Service Port Scans

Full Port Scan

Service Detection

Version Detection

OS Detection

Aggressive Scan (Version + OS + Scripts)

Finding Lost Devices

The KVM You Forgot About

IPMI/BMC (Server Management)

Printers

IoT Devices

Multiple Subnets

Scan Multiple Ranges

Scan from File

Output Formats

Save Results

Parse Grepable Output

Speed vs Stealth

Fast Scans

Slower, More Reliable

Parallel Scans

Common Errors

Cannot Use -F or -p with -sn

Permission Denied for OS Detection

Quick Recipes

Find All SSH Servers

Find All Web Servers

Find Hosts Not in DNS

Enumerate Everything on a Host

See Also