Scanning Networks

Welcome to the Scanning Networks module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.

Host Discovery

Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response.


Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests.

To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.)

netdiscover -i (network interface name) (example: eth0 or tun0)
netdiscover -i eth0
netdiscover -r

eth0 may differ if you are on a VPN network. Mostly it would be tun0

  • This will help to get all available machines on the network.

  • Always make a habit of saving the IP of the machines since we use themin a lot.


We can also use nmap to discover hosts in a given IP subnet.

Note: In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section.

nmap -sn -vv -oA nmapHostsOutput
    β€’ -sn -> Disable Port scanning
    β€’ -vv -> verbose mode
    β€’ -0A -> output the results in 3 types of format(nmap, gnmap, xml)


Introduction to Nmap

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Basic command

nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X

    β€’ -p- -> Scans all the ports from 0 to 65535 available on the IP
    β€’ -sC -> Runs default scripts
    β€’ -sV -> version enumeration or service version
    β€’ -O  -> OS enumeration
    β€’ -A  -> Enumerate all the stuff as much as it can
    β€’ -T4 -> fast as time 4 (default is 3)
    β€’ -oA -> store the output on 3 types of format(nmap, gnmap, xml)

Cheatsheet for nmap

This cheat sheet was prepared by You can also check out the cheatsheet. I've attached the file belowπŸ‘‡πŸ»

Switches in nmap which you might need to know



ACK scan


FIN scan


IDLE scan


DNS scan (list scan)


NULL scan


Protocol scan (tests which IP protocols respond)


Ping scan


RPC scan


SYN scan


TCP connect scan


Window scan


XMAS scan


OS detection, version detection, script scanning and traceroute


ICMP ping


No ping


SYN ping


TCP ping


output the results in 3 types of format(nmap, gnmap, xml)


Normal output


XML output

-T0 through -T2

Serial scans. T0 is slowest

-T3 through -T5

Parallel scans. T3 is slowest

Port specific NSE scripts

Using NSE we can perform specific enumeration or exploitation on a host.

ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

Bypassing Firewall



nmap -f


nmap -g 80

Port Manipulation


nmap -mtu 8

Crunching down Packets to 8 Byte


nmap -D RND:10

Perform Decoy Scan and Generates Random non-reserved IP

β€”data 0xdeadbeef

nmap --data 0xdeadbeef

Send the binary data 0's and 1's

--data-string "Ph34r my l33t skills"

nmap --data-string "Ph34r my l33t skills"

Send strings as payload

--data-length 5

nmap --data-length 5


nmap --randomize-hosts

send request to a IP from Random non-reserved IP


nmap --badsum

Sends Bad or Bongus TCP/USP Checksum


Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

  • I strongly recomend you to go with Zenmap for the exam point of view.

  • When you started your exam, the first objective you have to do is that start Zenmap (GUI Version of Nmap) scan on your windows machine.

  • The reason is that in Parrot OS you may find it hard to parse all the IPs because the green colour with the terminal might overwhelm you. Instead, the Zenmap GUI would be useful to find out the services, OS running on that IP with a cute User Interface.

  • Trust me!πŸ’ͺ🏻 this would be the great life-changer of your exam.

  • I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense.

Angry IP Scanner

  • Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

  • It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

  • It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.


  • MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.

  • Mega Ping is also a port and service scanning tool which is for Windows.


  • hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

  • It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.

  • Hping3 is a python based tool used to scan and flood(DOS) the particular IP.

hping3 10.10.10.x --udp --random-source --data 500
hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent)
hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets)

Later in the upcoming modules you may read have chance to use Hping3. But for time being as per my suggestion, use ZenMap GUI to scan the IP range to get the information or if you are comfortable with CLI go for nmap.

Operating System Discovery

  • The Operating System(OS) discovery has two types they are:

    • Active Banner Grabbing

    • Passive Banner Grabbing

  • By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.

Operating System (OS)Time To LiveTCP Window Size

Linux (Kernel 2.4 and 2.6)



Google Linux









Windows 95



Windows 2000



Windows XP



Windows 98, Vista and 7 (Server 2008)



iOS 12.4 (Cisco Routers)



Solaris 7



AIX 4.3



Nmap Script

nmap --script smb-os-discovery.nse 10.10.10.x


We can also scan our target using metasploit

Init the Metasploit Framework and check the status of database

msfdb init
service postgresql start
db status

Scanning using Nmap inside Metasploit

nmap -Pn -sS -A -oX Test 10.10.10/24
db import Test
hosts (Here you will now listed with the Details of the subnets)
services or db_services

As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious as for me where using ZenMap GUI or even through Nmap CLI are even much easier you can get the available machine's IP from the IP subnet through hostdiscover command.

Last updated