This lesson explains how to discover live hosts on networks using ARP (Layer 2) for local segments and ICMP (Layer 3) for routed networks, shows practical commands and Scapy examples, discusses evasion techniques and their limits, and covers detection and defensive countermeasures. It emphasizes ethical testing, coordination with logging teams, and matching OSINT-derived targets to appropriate discovery methods.
Host Discovery: ARP & ICMP Techniques (with Evasion — Ethically!) "Finding hosts on a network is like ringing every doorbell on the block — loud, effective, and likely to get you a stern look from the neighbor. Do it with permission." You already learned how to pick your targets and build a s...
Why ARP vs ICMP? Pick the right hammer. ARP (Address Resolution Protocol) is layer 2 . It only works on your LAN/subnet. It's fast, reliable, and often undetectable by host-based firewalls because ARP is required for basic networking. ICMP (Internet Control Message Protocol) is layer 3 . It ca...
Quick practicals (because examples stick) ARP discovery (local networks) Tool: arping, nmap -PR, Scapy Best when you are on the same Ethernet segment or VLAN Commands: # Nmap using ARP ping on local subnet nmap -sn -PR 192.168.1.0/24 # arping raw ARP probe (Linux) arping -c 2 -I eth0 192.168.1...
ICMP discovery (bigger networks) Tool: nmap -PE/-PP/-PM, ping, hping3 Useful across networks, but often filtered or rate-limited Commands: # Nmap ping scan with ICMP echo nmap -sn -PE 10.0.0.0/24 # ICMP timestamp or address-mask probes (less common) nmap -sn -PP 10.0.0.0/24 # timestamp nmap -sn...
A tiny comparison table (ARP vs ICMP) Feature ARP ICMP Layer L2 L3 Requires same subnet? Yes No Blocked by firewall? Rarely (host) Often Detectability Moderate (switch logs) High (IDS/IPS) Use case Local discovery Routed discovery
Evasion Techniques (and why they’re not magic) First: ethics. Always have authorization. Evasion is a dual-use skill — defenders and attackers both use it. Common evasion tricks with notes on effectiveness: Slow scans / rate limiting : Increase stealth by spacing probes. Use nmap -T options or -...
Detection & Countermeasures (for defenders and to understand attacker risk) Monitor ARP anomalies: Many ARP probes in a short time or changing MAC-IP mappings indicate scanning or ARP spoofing. ICMP rate limit and anomaly detection: count echo requests per source, watch for unusual payload siz...
Putting it together with OSINT & Target Selection (the logical next step) You already automated OSINT to find juicy targets. Now match that intel to discovery methods: From OSINT, map public subnets and likely internal ranges. Select hosts where you can legally place an agent or get access (f...
Small Scapy ARP-sniffer example (pseudo-ready) # Sends ARP who-has to subnet and prints replies from scapy.all import ARP, Ether, srp ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst='10.10.0.0/24'), timeout=3, iface='eth0') for s, r in ans: print('IP:', r.psrc...
10 study modes available based on your content