Using nmap to determine which IPs are active on a subnet

Example: you have a router that puts all devices with IP addresses where xxx is a number between 1 to 255. You will have a much better chance of success if you know which port is open on your targeted device (host), but you can also have a chance to discover the device if you don’t know which ports are open on it.

I don’t know which ports are open on the host

nmap -sn 192.168.1.* --open

will tell you some of the IP addresses that are active on that subnet.


-sn just scan if active PC available (ping scan)

--open only tell which hosts appear to be up

Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to your network, such as an IoT device that isn’t trying to hide itself.

I know the port number, but not the IP address

This is an easier case to deal with, since the port you’re using will typically be open unless you use a firewall schedule, port knocking, or the like. Let’s say I have a new Beaglebone Black plugged into my network. I don’t know the IP address (but I do know it’s in and I know the factory image has an SSH server on port 22. I can type:

nmap -Pn -p 22 192.168.1.* --open


-Pn tells nmap to assume each host is up

--open only tell which hosts appear to have this port open

I don’t have nmap

You can use my pure Python findssh program to scan for open servers on a port.




Leave a Comment