Example: you have a router that puts all devices with IP addresses 192.168.1.xxx where xxx is a number between 1 to 255. You will have a much better chance of success if you know which port is open on your targeted device (host), but you can also have a chance to discover the device if you don’t know which ports are open on it.
I don’t know which ports are open on the host
nmap -sn 192.168.1.* --open
will tell you some of the IP addresses that are active on that subnet.
-sn just scan if active PC available (ping scan)
--open only tell which hosts appear to be up
Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to your network, such as an IoT device that isn’t trying to hide itself.
I know the port number, but not the IP address
This is an easier case to deal with, since the port you’re using will typically be open unless you use a firewall schedule, port knocking, or the like. Let’s say I have a new Beaglebone Black plugged into my network. I don’t know the IP address (but I do know it’s in 192.168.1.xxx) and I know the factory image has an SSH server on port 22. I can type:
nmap -Pn -p 22 192.168.1.* --open
-Pn tells nmap to assume each host is up
--open only tell which hosts appear to have this port open