Network Scanning and Evasion Techniques
Discover hosts, services, and OS details while understanding evasion strategies and defensive countermeasures.
Content
Host Discovery and ARP/ICMP Techniques
Versions:
Watch & Learn
AI-discovered learning video
Host Discovery: ARP & ICMP Techniques (with Evasion — Ethically!)
"Finding hosts on a network is like ringing every doorbell on the block — loud, effective, and likely to get you a stern look from the neighbor. Do it with permission."
You already learned how to pick your targets and build a scanning strategy. Now we go lower-level and noisier: who's actually alive on the network? This chapter turns your reconnaissance from "I think there's someone home" into "I can see the exact list of apartments, but I won't break down the door." We'll focus on host discovery using ARP and ICMP, and how attackers (and defenders) use evasion tricks — plus how to do it responsibly.
Why ARP vs ICMP? Pick the right hammer.
- ARP (Address Resolution Protocol) is layer 2. It only works on your LAN/subnet. It's fast, reliable, and often undetectable by host-based firewalls because ARP is required for basic networking.
- ICMP (Internet Control Message Protocol) is layer 3. It can discover hosts across routed networks, but many networks firewall or rate-limit ICMP.
Think: ARP = knocking on the apartment door; ICMP = yelling across the street. Both find people, but one requires you to be in the same building.
Quick practicals (because examples stick)
ARP discovery (local networks)
- Tool: arping, nmap -PR, Scapy
- Best when you are on the same Ethernet segment or VLAN
Commands:
# Nmap using ARP ping on local subnet
nmap -sn -PR 192.168.1.0/24
# arping raw ARP probe (Linux)
arping -c 2 -I eth0 192.168.1.1
# Scapy minimal ARP scan (Python/pseudocode)
from scapy.all import ARP, Ether, srp
ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst='192.168.1.0/24'), timeout=2)
for s, r in ans:
print(r.psrc, r.hwsrc)
Why this is awesome: ARP probes get immediate replies from hosts that are up, even if their software firewalls drop ICMP or TCP. Limitations: stops at router boundaries. Also, some switches implement dynamic ARP inspection—watch the logs.
ICMP discovery (bigger networks)
- Tool: nmap -PE/-PP/-PM, ping, hping3
- Useful across networks, but often filtered or rate-limited
Commands:
# Nmap ping scan with ICMP echo
nmap -sn -PE 10.0.0.0/24
# ICMP timestamp or address-mask probes (less common)
nmap -sn -PP 10.0.0.0/24 # timestamp
nmap -sn -PM 10.0.0.0/24 # netmask
# hping3 for custom ICMP echo
hping3 --icmp -c 1 -d 40 10.0.0.5
ICMP has the big benefit of reaching routed hosts, but many networks block ICMP echo or return ICMP unreachable, so craft your method to the environment.
A tiny comparison table (ARP vs ICMP)
| Feature | ARP | ICMP |
|---|---|---|
| Layer | L2 | L3 |
| Requires same subnet? | Yes | No |
| Blocked by firewall? | Rarely (host) | Often |
| Detectability | Moderate (switch logs) | High (IDS/IPS) |
| Use case | Local discovery | Routed discovery |
Evasion Techniques (and why they’re not magic)
First: ethics. Always have authorization. Evasion is a dual-use skill — defenders and attackers both use it.
Common evasion tricks with notes on effectiveness:
Slow scans / rate limiting: Increase stealth by spacing probes. Use nmap -T options or --scan-delay / --max-rate.
- Good vs simple IDS thresholds. Bad versus anomaly detection and long-term logging.
Fragmentation: Break discovery packets into fragments (-f in nmap). Some IDS/IPS reassemble poorly, but modern systems are better.
Decoys: Nmap -D decoy1,decoy2,ME — makes it look like multiple sources. Works against naive logs; triggers correlation engines.
Spoofed MAC / IP: For ARP you can use a different source MAC to hide, but ARP replies still reveal MAC-to-IP pairs. For ICMP, spoofing source IPs can confuse administrators but often breaks replies (you won't get responses).
Change packet fingerprints: Alter TTL, TCP options, payload size (nmap --ttl, --data-length) to blend in with normal traffic.
Use allowed protocols/ports: Probe via ports/protocols common in the network (e.g., DNS/HTTP) to blend in with normal traffic. But don't abuse production services.
Reality check: Evasion reduces the chance of instant detection, but not forensic collection. IDS/routers/logs + modern SIEMs are good at stitching long-term low-and-slow scans together.
Detection & Countermeasures (for defenders and to understand attacker risk)
- Monitor ARP anomalies: Many ARP probes in a short time or changing MAC-IP mappings indicate scanning or ARP spoofing.
- ICMP rate limit and anomaly detection: count echo requests per source, watch for unusual payload sizes.
- Network segmentation: ARP scans are constrained by VLANs; segmentation reduces exposure.
- Use IDS signatures and behavioral baselines rather than simple thresholds.
Tip: if you're testing a network, coordinate with logging teams — ask them to ignore your IPs or tag events so your scan forensic trail doesn’t cause incidents.
Putting it together with OSINT & Target Selection (the logical next step)
You already automated OSINT to find juicy targets. Now match that intel to discovery methods:
- From OSINT, map public subnets and likely internal ranges.
- Select hosts where you can legally place an agent or get access (from scanning strategy lessons).
- Use ARP scans on colocated testers to build a live asset list; use ICMP (or TCP/UDP probes) across networks where routing allows.
- Correlate results with OSINT data (hostname, DNS records, service banners) to prioritize follow-up scans.
Question to ask: Is the target inside the broadcast domain? If yes → start with ARP. If no → plan ICMP/TCP discovery and expect more filtering.
Small Scapy ARP-sniffer example (pseudo-ready)
# Sends ARP who-has to subnet and prints replies
from scapy.all import ARP, Ether, srp
ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst='10.10.0.0/24'), timeout=3, iface='eth0')
for s, r in ans:
print('IP:', r.psrc, 'MAC:', r.hwsrc)
Use this for customized probing, e.g., add timing, random delays, or rate limits to avoid tripping alarms during authorized tests.
Closing (TL;DR + permission mantra)
- ARP = best for local, fast, reliable host discovery. ICMP = for routed discovery but more likely to be filtered.
- Evasion tools (slow scans, fragmentation, decoys) can delay detection — they do not erase logs. Use responsibly.
Final rule: if it smells like sneaking around, get a written permit. Then scan like a ghost: quiet, methodical, and ethically accountable.
Key takeaways:
- Choose ARP when on the same VLAN — it’s your fastest win.
- Use ICMP/TCP/UDP where routing is needed, and expect firewalls.
- Evasion is a tradeoff: stealth vs usefulness; never assume invisibility.
Go build a careful plan that aligns your OSINT-derived priorities with the right discovery tool. And remember — the goal is to reveal the network surface, not to haunt it.
Comments (0)
Please sign in to leave a comment.
No comments yet. Be the first to comment!