Network Recon & Host Discovery

This cheatsheet serves as the foundational checklist for network-level enumeration. It is structured to scale from localized host discovery sweeps to targeted, protocol-specific vulnerability scanning.

Host Discovery (Network Sweeps)

Before hitting specific ports, identify live assets on the subnet. Layer 2 (ARP) is preferred for local networks as it cannot be blocked by host firewalls, while Layer 3 (ICMP) is necessary for routed networks.

ICMP (Nmap & fping)

Nmap Ping Sweep (Disables port scan, fast)

nmap -sn 10.10.10.0/24

fping (Extremely fast, outputs only alive IP addresses)

fping -a -g 10.10.10.0/24 2>/dev/null

netdiscover (Active/passive ARP recon)

sudo netdiscover -r 10.10.10.0/24

---

Port Scanning

Once live hosts are identified, enumerate open services.

Efficiency

For CTF environments, always use --min-rate=1000 (or higher) combined with -p- to scan all 65,535 ports quickly. In real-world pentests, this aggression level will drop packets or trigger IPS/IDS appliances.

TCP Scanning Strategies

Fast Scan

SYN Scan, Service Versioning, All Ports, High Rate

sudo nmap -sS -sV -p- --min-rate=1000 10.10.10.10 

Standard Full Enum

Service Versioning, Default Scripts, OS Detection, All Ports

sudo nmap -sV -sC -O -p- 10.10.10.10 

Heavy/Comprehensive

Aggressive mode (-A), skips host discovery (-Pn), runs vuln scripts, saves to file

nmap -sV -sC -oN nmap_result.txt -T4 -A --script=vuln -Pn 10.10.10.10 

UDP Scanning

Important

UDP scanning is notoriously slow and unreliable because open UDP ports often do not respond. Only scan common UDP ports rather than the full 65k range to save time.

sudo nmap -sU -p 53,67,68,69,123,161,162 10.10.10.10