Example: router with LAN IP address range 192.168.1.xxx.
The address discovery is faster if you know which port is open on your targeted device (host). However, you can also discover the device if open port is unknown.
Unknown open port scan
nmap -sn 192.168.1.* --open
will tell you some of the IP addresses that are active on that subnet.
- check if pingable (ping scan, not port scan)
- only tell which hosts appear to be up
Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to your network, such as an IoT device that isn’t trying to hide itself.
Port known, IP address scan
Port scanning is much faster when the open port is known. Note in some rare cases, there is a firewall schedule or port knocking as additional security that could cause a port scan to fail.
Raspberry Pi port scan
Assume known 192.168.1.xxx and that factory image has an SSH server on port 22.
Find the new Raspberry Pi IP address with
nmap -Pn -p 22 192.168.1.* --open
- nmap assumes each host is up
- only hosts with specified port open
non-nmap: scan IP address range with known open port
- Pure Python program findssh.py scans for servers with open port