Using nmap to find active IPs on a subnet
Example: router with LAN IP address range 192.168.1.xxx.
The address discovery is faster if you know which port is open on your targeted device (host). However, you can also discover the device if open port is unknown.
Unknown open port scan:
nmap -sn 192.168.1.* --open
will tell you some of the IP addresses that are active on that subnet.
Options:
-sn
- check if pingable (ping scan, not port scan)
--open
- only tell which hosts appear to be up
Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to the network, such as an IoT device that isn’t trying to hide itself.
Port known, IP address scan: port scanning is much faster when the open port is known. Note in some rare cases, there is a firewall schedule or port knocking as additional security that could cause a port scan to fail.
Raspberry Pi port scan: assume known 192.168.1.xxx and that factory image has an SSH server on port 22.
Find the new Raspberry Pi IP address with
nmap -Pn -p 22 192.168.1.* --open
-Pn
- nmap assumes each host is up
--open
- only hosts with specified port open
non-nmap: scan IP address range with known open port: the pure Python program findssh.py, scans for servers with open ports in less than a second concurrently via Python asyncio.