# Host Scanning {% hint style="danger" %} Make sure to use the following room for target: {% endhint %} ## Scenerio Imagine you’ve just been hired by a mid-sized company called **XYZ Corp** to perform a **gray-box penetration test**. You’ve been told that the internal security team wants a full assessment of their infrastructure, and since it's a gray-box test, you’re given *some* information to begin with. The only thing you're handed as **IN-SCOPE** is a **CIDR IP range** that represents the internal network: ``` 10.10.0.0/16 ``` You're told this test will happen **within a Their Internal Network Environment**, meaning we are suppose to connect to their internal network using openvpn. Since we are given a CIDR IP Range which is part of a subnet (the `/16` range), which means there may be **multiple active machines** in that same range. So we scan the entire **CIDR range** to uncover other potential hosts within the same network that are alive. ## Finding Alive Hosts with Nmap In this section, we'll focus on identifying **live hosts** — machines that are up and responsive on the network. We’ll use Nmap for this, which is one of the most widely used network scanning tools. ### Scan a Single Host by IP Address In case we are given just a single IP as scope, we can simply pass the IP to Nmap like so:

❯ nmap -sn 10.10.19.186              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:25 +0545
Nmap scan report for 10.10.19.186
Host is up (0.20s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

In the above command, the `-sn` flag tells Nmap to perform a ping scan only (i.e., to check if the host is up) and not to perform any port scanning. All I need to know is whether the given host (target IP) is alive or down. ### Scan a CIDR Range In assessments, we are typically given a CIDR range of the internal network of the environment. With just the CIDR range, we must be able to identify alive hosts within it. Since the CIDR range is in scope, we can target any alive host that's part of it. In our scenario, we're given the range `10.10.0.0/16`. We can use a subnet calculator, such as [this one](https://www.calculator.net/ip-subnet-calculator.html), to see how many usable hosts it can contain. The calculator shows that this CIDR range can have **65,534 usable hosts**. Since scanning the entire range would take a lot of time, we'll limit our scan to a `/24` subnet of the target IP to save time. That will be: `10.10.19.0/24`.

❯ nmap 10.10.19.0/24 -sn -vv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:14 +0545
Initiating Ping Scan at 10:14
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 10:14, 11.04s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 5 hosts. at 10:14
Completed Parallel DNS resolution of 5 hosts. at 10:14, 0.02s elapsed
Nmap scan report for 10.10.19.0 [host down, received no-response]
Nmap scan report for 10.10.19.1 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.42 [host down, received no-response]
Nmap scan report for 10.10.19.43
Host is up, received syn-ack (0.18s latency).
Nmap scan report for 10.10.19.44 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.83 [host down, received no-response]
Nmap scan report for 10.10.19.84
Host is up, received syn-ack (0.18s latency).
Nmap scan report for 10.10.19.85 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.96 [host down, received no-response]
Nmap scan report for 10.10.19.97
Host is up, received syn-ack (0.18s latency).
Nmap scan report for 10.10.19.98 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.102 [host down, received no-response]
Nmap scan report for 10.10.19.103
Host is up, received syn-ack (0.18s latency).
Nmap scan report for 10.10.19.104 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.185 [host down, received no-response]
Nmap scan report for 10.10.19.186
Host is up, received syn-ack (0.17s latency).
Nmap scan report for 10.10.19.187 [host down, received no-response]
//..SNIP..//
Nmap scan report for 10.10.19.255 [host down, received no-response]
Nmap done: 256 IP addresses (5 hosts up) scanned in 11.06 seconds

Using the following scan, Nmap found 5 hosts up out of 256 IPs in just 11.06 seconds. ### Scan Multiple IP Addresses Let's say in the assessment we’re given only 3 IPs in scope: `10.10.19.186`, `10.10.19.84`, and `10.10.19.103`. We can scan them in two ways: **Using a list file:**

❯ nmap -sn -iL ip_list.txt                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:37 +0545
Nmap scan report for 10.10.19.186
Host is up (0.24s latency).
Nmap scan report for 10.10.19.84
Host is up (0.24s latency).
Nmap done: 3 IP addresses (2 hosts up) scanned in 2.92 seconds

Where `ip_list.txt` contains the three IPs. **Passing all IPs as arguments:**

❯ nmap -sn 10.10.19.186 10.10.19.84 10.10.19.103 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:36 +0545
Nmap scan report for 10.10.19.186
Host is up (0.18s latency).
Nmap scan report for 10.10.19.84
Host is up (0.18s latency).
Nmap done: 3 IP addresses (2 hosts up) scanned in 2.41 seconds

As you can see from the output of both commands, Nmap reports that 2 hosts are up out of the 3 in scope. This means one host—`10.10.19.103`—is down or not responding. ### Scan an IP Range We can scan a range of IPs like this as well:

❯ nmap -sn 10.10.19.1-100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:40 +0545
Nmap scan report for 10.10.19.43
Host is up (0.21s latency).
Nmap scan report for 10.10.19.84
Host is up (0.21s latency).
Nmap scan report for 10.10.19.85
Host is up (0.21s latency).
Nmap scan report for 10.10.19.97
Host is up (0.20s latency).
Nmap done: 100 IP addresses (4 hosts up) scanned in 8.66 seconds

This will scan from `.1` to `.100` in the `10.10.19.x` network. ## Bonus Although these are part of the bonus, you’ll be using them quite often—so make sure to take good notes on them as well. ### Verbose Output **Verbose** means using more words than necessary. In Nmap, the `-v` flag enables basic verbosity, while `-vv` gives even more detailed output. **What does this mean?**\ Normally, Nmap shows the full results only after the scan is finished. But with `-vv`, you get real-time updates during the scan. This includes details like which IPs are down. For example, in the **"Scan a CIDR Range"** section, I used the `-vv` flag. The output listed each scanned IP and showed whether it was up or down—which I had to snip because it was too long. Look at the example below where I scanned 10 IPs, and all of them were down (lol).

❯ nmap -sn 10.10.19.1-10 -vv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:45 +0545
Initiating Ping Scan at 10:45
Scanning 10 hosts [2 ports/host]
Completed Ping Scan at 10:46, 5.00s elapsed (10 total hosts)
Nmap scan report for 10.10.19.1 [host down, received no-response]
Nmap scan report for 10.10.19.2 [host down, received no-response]
Nmap scan report for 10.10.19.3 [host down, received no-response]
Nmap scan report for 10.10.19.4 [host down, received no-response]
Nmap scan report for 10.10.19.5 [host down, received no-response]
Nmap scan report for 10.10.19.6 [host down, received no-response]
Nmap scan report for 10.10.19.7 [host down, received no-response]
Nmap scan report for 10.10.19.8 [host down, received no-response]
Nmap scan report for 10.10.19.9 [host down, received no-response]
Nmap scan report for 10.10.19.10 [host down, received no-response]
Nmap done: 10 IP addresses (0 hosts up) scanned in 5.01 seconds

### Scan Speed We can use the `-T` flag in Nmap to adjust the timing and speed of the scan. This ranges from `0` (the slowest and most stealthy) to `5` (the fastest and most aggressive). The following table describes all the timing levels: | Value | Timing Template | Description | | ----- | ---------------- | ----------------------------------- | | 0 | Paranoid | Very slow, used for IDS evasion | | 1 | Sneaky | Slow, also used for stealth | | 2 | Polite | Slows down to use less bandwidth | | 3 | Normal (default) | Balanced speed and stealth | | 4 | Aggressive | Faster, but more detectable | | 5 | Insane | Very fast, likely to trigger alerts | The following shows how we can use the `-T4` flag to scan a `/24` network by increasing the speed with `-T` set to `4`.

❯ nmap -sn -T4 10.10.19.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:49 +0545
Nmap scan report for 10.10.19.43
Host is up (0.25s latency).
Nmap scan report for 10.10.19.85
Host is up (0.25s latency).
Nmap scan report for 10.10.19.97
Host is up (0.18s latency).
Nmap scan report for 10.10.19.186
Host is up (0.27s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 33.77 seconds

### Compare Speed Let's scan 101 IP addresses using `-T4`, without the timing flag, and with the `-T1` flag, and see how much time it takes for all of them to finish the scan. {% tabs %} {% tab title="Without Timing Flag" %}

❯ nmap -sn 10.10.19.0-100 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:53 +0545
Nmap scan report for 10.10.19.43
Host is up (0.17s latency).
Nmap scan report for 10.10.19.85
Host is up (0.23s latency).
Nmap scan report for 10.10.19.97
Host is up (0.22s latency).
Nmap done: 101 IP addresses (3 hosts up) scanned in 8.89 seconds

{% hint style="info" %} By default, if we do not set any timing flag, Nmap uses the default speed and timing options (i.e. `-T3`) {% endhint %} {% endtab %} {% tab title="With -T4" %}

❯ nmap -sn -T4 10.10.19.0-100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 10:54 +0545
Nmap scan report for 10.10.19.43
Host is up (0.20s latency).
Nmap scan report for 10.10.19.85
Host is up (0.18s latency).
Nmap scan report for 10.10.19.97
Host is up (0.24s latency).
Nmap done: 101 IP addresses (3 hosts up) scanned in 7.25 seconds

If you notice, using the `-T4` flag, the scan took 7.25 seconds to scan 101 IP addresses, with 3 hosts up. However, when no timing flag was set (which defaults to `-T3`), the scan took 8.89 seconds. This shows that using the `-T4` flag slightly increased the speed of the scan. {% endtab %} {% tab title="With -T1" %}

I didn’t wait for the scan with `-T1` to finish because it takes *really* long—like, *really* long. Not kidding, haha! I stopped the scan after 22 minutes and 57 seconds, and it still hadn’t finished finding alive hosts in the range `10.10.19.0-100`. This kind of scan is useful for bypassing basic IDS/firewalls. However, modern firewalls, especially next-gen firewalls with packet inspection capabilities, can easily catch these, even if we're using `-T0`. {% endtab %} {% endtabs %} {% hint style="danger" %} When playing CTFs, it's good to use the `-T4` flag for timing and speed. However, when performing a real assessment or pentest, we should consider the scan speed based on our goal. For example, if we need to attack quietly (i.e., without alerting defenders or triggering firewalls), we may want to lower the timing depending on the environment. In a non-evasive assessment, we can typically use the `-T3` flag, which won't overwhelm the systems. Just remember, never use the `-T5` flag in any production environment, as it may overwhelm the server. {% endhint %} ## Conclusion Now that we know **which hosts are up**, the next step is to **dive deeper** into those individual hosts. In the next section, we’ll explore how to use Nmap to: * Discover **open ports** * Enumerate **running services** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://handbook.ncateam.xyz/reconnaissance/network-enumeration/host-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.