Top Host Discovery Techniques in Ethical Hacking | ICMP, ARP, TCP Scans Explained

Table of Contents

• What Is Host Discovery?
•  Common Host Discovery Techniques
• Variants of ICMP Ping Techniques
• TCP SYN vs. ICMP ECHO Ping (Example Snapshots)
• Ping Sweep Tools for Host Discovery
• Blog Diagram (Textual Representation)
•  Use Cases in Ethical Hacking
•  Best Practices
•  Conclusion
•  Frequently Asked Questions (FAQs)

Host discovery is a critical phase in ethical hacking and penetration testing. It helps identify which systems in a network are active (live hosts) and responsive to communication. These techniques are used before any deeper enumeration or vulnerability scanning is performed.

In this blog, we’ll explore different host discovery techniques, their command-line usage (especially with Nmap), and tools that can automate ping sweeps across subnets.

 What Is Host Discovery?

Host discovery is the process of finding live systems (hosts) on a network. Before launching an attack or scan, attackers or network admins need to know what devices are up and running.

Using specific network probes like ICMP, TCP, ARP, or UDP, the scanning tool determines whether a host is reachable and responsive. This is often the first step in scanning and reconnaissance.

 Common Host Discovery Techniques

Here are the most widely used host discovery techniques, particularly with tools like Nmap.

1. ICMP Ping Scan

This method uses the Internet Control Message Protocol (ICMP) to send echo requests (ping). If the host is live, it replies back with an echo reply.

Command:

nmap -sn -PE 

2. ARP Ping Scan

Used in LAN environments. This method sends ARP requests to discover hosts in a subnet.

 Command:

nmap -sn -PR 

3. UDP Ping Scan

Sends UDP packets to check for live systems. Hosts may respond with ICMP port unreachable messages, confirming their presence.

 Command:

nmap -sn -PU 

4. TCP Ping Scan

A TCP-based scan using SYN or ACK packets to check if hosts respond at the transport layer.

 Commands:

nmap -sn -PS   # SYN Ping  
nmap -sn -PA   # ACK Ping

5. IP Protocol Ping Scan

Sends IP packets using specific protocols (e.g., ICMP, IGMP) to identify live hosts.

 Command:

nmap -sn -PO 

Variants of ICMP Ping Techniques

These help bypass filters or firewalls that block standard ICMP echo replies.

 TCP SYN vs. ICMP ECHO Ping (Example Snapshots)

The images in the module show:

• TCP SYN Ping identifying a single live system (10.1.0.11)

• ICMP ECHO Ping Sweep identifying multiple hosts (10.1.5.24, 10.1.0.22, etc.)

These scans are incredibly useful in internal network enumeration.

 Ping Sweep Tools for Host Discovery

These GUI-based or CLI tools can automate ping sweeps and simplify network analysis:

• Angry IP Scanner

• SolarWinds Engineer’s Toolset

• NetScanTools Pro

• Colasoft Ping Tool

• Advanced IP Scanner

• ManageEngine OpUtils

They can discover hosts, detect duplicate IPs, and export network maps.

 Blog Diagram (Textual Representation)

Here is a simple diagram-style flow that mirrors the original image:

Host Discovery Techniques
│
├── ICMP Ping Scan ──► nmap -sn -PE 
│   ├── ICMP Timestamp Ping ──► nmap -sn -PP 
│   └── ICMP Address Mask Ping ──► nmap -sn -PM 
│
├── ARP Ping Scan ──► nmap -sn -PR 
├── UDP Ping Scan ──► nmap -sn -PU 
├── TCP Ping Scan
│   ├── TCP SYN Ping ──► nmap -sn -PS 
│   └── TCP ACK Ping ──► nmap -sn -PA 
└── IP Protocol Ping Scan ──► nmap -sn -PO 

 Use Cases in Ethical Hacking

 Best Practices

• Always use host discovery on authorized networks.

• Combine ICMP and TCP-based pings to evade firewalls.

• Use ping sweeps to identify IP ranges with live hosts.

• Tools like Nmap allow customizing packet type, size, and timing.

 Conclusion

Host discovery is foundational in ethical hacking, as it determines the attack surface. Using techniques like ICMP, ARP, and TCP pings, professionals can swiftly discover all reachable systems in a network.

Whether you’re using Nmap CLI or graphical tools like NetScanTools Pro or Angry IP Scanner, understanding these techniques will significantly improve your scanning accuracy and penetration test planning.

 FAQ 

What is host discovery in network scanning?

Host discovery is the process of identifying active or live systems in a network before performing port scanning or vulnerability analysis.

Which tool is commonly used for host discovery?

Nmap is one of the most commonly used tools for host discovery due to its wide range of scanning options.

What is an ICMP Ping Scan?

ICMP Ping Scan sends ICMP echo requests to determine if a host is up. If the host responds, it is considered live.

How does an ARP Ping Scan work?

An ARP Ping Scan sends ARP requests to IP addresses on a local network. If a device replies with a MAC address, it confirms the device is live.

What does the command nmap -sn -PE do?

This command sends ICMP Echo requests to check if the IP address is up, used in ICMP Ping Scanning.

Is ARP scanning possible on the internet?

No, ARP scanning only works within local networks (LANs) because ARP does not traverse routers.

What is a TCP SYN Ping Scan?

It sends a SYN packet to a target and waits for a SYN-ACK response. It is used to check if the host is live without completing the full TCP handshake.

What is the use of a TCP ACK Ping Scan?

It sends TCP ACK packets to determine if a firewall allows ACK responses, useful for bypassing certain security measures.

What is a UDP Ping Scan?

UDP Ping sends empty UDP packets to specific ports. If there’s a response or ICMP unreachable message, it helps identify live systems.

What is the command to perform a TCP SYN Ping Scan in Nmap?

How is host discovery different from port scanning?

Host discovery identifies live systems; port scanning identifies open ports and services running on those systems.

What is ICMP Echo Ping Sweep?

It involves sending ICMP Echo Requests to multiple IPs in a range to discover live hosts in that segment.

What is the use of nmap -sn -PE ?

This performs an ICMP Echo Ping Sweep on the given IP range.

What does the flag -sn in Nmap do?

It disables port scanning and enables host discovery only.

What are common tools for ping sweeps?

Angry IP Scanner, NetScanTools Pro, Advanced IP Scanner, SolarWinds Engineer's Toolset.

What is IP Protocol Ping Scan?

It sends IP packets with no higher-level protocol headers to detect hosts by their ICMP unreachable replies.

What is the difference between ACK and SYN Ping Scan?

• SYN Ping: Checks if host accepts SYN packets.

• ACK Ping: Checks firewall rules by sending ACK packets.

Which scan is stealthier: TCP SYN or TCP ACK?

TCP SYN is stealthier since it doesn’t complete the full connection, reducing detection chances.

How does Nmap detect live hosts?

Nmap uses a combination of ICMP, ARP, TCP, and UDP ping scans to detect live systems.

Why are ICMP scans sometimes blocked?

Many firewalls block ICMP Echo requests to prevent ping-based network discovery.

What is the role of ICMP Timestamp Ping?

It sends timestamp request packets to measure latency and detect live systems.

What is the difference between ICMP and ARP scans?

ICMP works across networks; ARP works only within a local subnet.

How can you scan a network with no ICMP response?

Use ARP, TCP SYN, or TCP ACK ping scans to discover hosts without relying on ICMP.

What is a "live system" in ethical hacking?

A live system is a device on a network that responds to requests and is reachable.

Can you detect hidden devices with ping scans?

Some stealthy devices may not respond to pings; additional techniques or tools may be required.

Why use multiple types of ping scans?

Some hosts may respond to certain types of scans and not others, so using multiple increases detection accuracy.

What is nmap -sn -PR used for?

It initiates an ARP Ping Scan on the specified IP.

What are common reasons a ping scan fails?

Firewalls, ICMP blocking, rate limiting, host is down, or misconfigured network settings.

Can you scan an entire subnet with ICMP Echo?

Yes, by using ICMP Echo Ping Sweep on a range like nmap -sn -PE 192.168.1.0/24.

What is the output of a successful ping scan?

It shows the IPs or hostnames that responded, confirming they're active on the network.