Example: router with LAN IP address range 192.168.1.xxx.
The address discovery is faster if you know which port is open on your targeted device (host). You can also discover the device if open port is unknown.
Unknown open port scan
nmap -sn 192.168.1.* --open
will tell you some of the IP addresses that are active on that subnet.
-sn just scan if active PC available (ping scan)
--open only tell which hosts appear to be up
Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to your network, such as an IoT device that isn’t trying to hide itself.
Port known, IP address scan
Port scanning is much faster when the open port is known. Note in some rare cases, there is a firewall schedule or port knocking as additional security that could cause a port scan to fail.
Raspberry Pi port scan
Assume known 192.168.1.xxx and that factory image has an SSH server on port 22.
Find the new Raspberry Pi IP address with
nmap -Pn -p 22 192.168.1.* --open
-Pntells nmap to assume each host is up
--openonly tell which hosts appear to have this port open