Using nmap to find active IPs on a subnet

Example: router with LAN IP address range 192.168.1.xxx.

The address discovery is faster if you know which port is open on your targeted device (host). However, you can also discover the device if open port is unknown.

Unknown open port scan:

nmap -sn 192.168.1.* --open

will tell you some of the IP addresses that are active on that subnet.

Options:

-sn
check if pingable (ping scan, not port scan)
--open
only tell which hosts appear to be up

Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to the network, such as an IoT device that isn’t trying to hide itself.

Port known, IP address scan: port scanning is much faster when the open port is known. Note in some rare cases, there is a firewall schedule or port knocking as additional security that could cause a port scan to fail.

Raspberry Pi port scan: assume known 192.168.1.xxx and that factory image has an SSH server on port 22.

Find the new Raspberry Pi IP address with

nmap -Pn -p 22 192.168.1.* --open
-Pn
nmap assumes each host is up
--open
only hosts with specified port open

non-nmap: scan IP address range with known open port: the pure Python program findssh.py, scans for servers with open ports in less than a second concurrently via Python asyncio.