Network Discovery and Scanning: Unveiling Connected Devices

In our previous articles, we explored wireless security vulnerabilities and WPA/WPA2 cracking techniques. Today, we'll shift our focus to network discovery and scanning - essential skills for any ethical hacker or network administrator seeking to understand their network's security posture.

Network discovery involves identifying all devices connected to a network, while scanning provides detailed information about those devices, including open ports, running services, operating systems, and potential vulnerabilities.

Understanding Network Discovery

Network discovery is the process of identifying all active devices on a network. This foundational step helps security professionals understand their attack surface and identify unauthorized devices that might pose security risks.

Why Network Discovery Matters:

Identify unauthorized or rogue devices on the network
Map the network topology for security assessments
Discover legacy systems that may have unpatched vulnerabilities
Inventory all connected devices for asset management
Prepare for penetration testing by understanding the target environment

Step 1: Initial Network Reconnaissance

Finding Your Network Information

Before we can discover other devices, we need to understand our own network configuration. The ifconfig command provides this information:

root@kali:~# ifconfig eth0: flags=4163 mtu 1500 inet 192.168.222.128 netmask 255.255.255.0 broadcast 192.168.222.255 inet6 fe80::20c:29ff:fe7a:885c prefixlen 64 scopeid 0x20 ether 00:0c:29:7a:88:5c txqueuelen 1000 (Ethernet) RX packets 12345 bytes 12345678 (12.3 MB) TX packets 9876 bytes 8765432 (8.7 MB)

From this output, we can determine:

Our IP Address: 192.168.222.128
Network Mask: 255.255.255.0
Network Range: 192.168.222.0/24
Router IP: Typically the first or last IP in the range (192.168.222.1 or 192.168.222.254)

Step 2: Discovering Connected Devices with Netdiscover

Netdiscover is a simple yet powerful tool for network reconnaissance that uses ARP requests to discover live hosts.

Using Netdiscover for Active Scanning

To scan the entire network range, we use:

root@kali:~# netdiscover -r 192.168.222.1/24 Currently scanning: 192.168.222.0/24 | Screen View: Unique Hosts ---------------------------------------------------------------------------- 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.222.1 00:50:56:c0:00:08 1 60 VMware, Inc. 192.168.222.2 00:50:56:fe:7a:88 1 60 VMware, Inc. 192.168.222.130 00:0c:29:45:67:89 1 60 Apple, Inc. 192.168.222.135 00:0c:29:12:34:56 1 60 Samsung Electronics

This output reveals:

IP Addresses: All active devices on the network
MAC Addresses: Hardware addresses of each device
Vendor Information: Manufacturer based on MAC address OUI
Hostnames: When available through reverse DNS

Important: Netdiscover requires you to be connected to the target network. For wireless networks, this means connecting your adapter to the network before running the scan.

Step 3: Comprehensive Scanning with Nmap

While Netdiscover gives us a device inventory, NmapNetwork Mapper - a powerful open-source tool for network discovery and security auditing provides much deeper insights into each device.

What Nmap Can Discover

Information Type	Description	Security Relevance
Open Ports	Network ports accepting connections	Potential entry points for attackers
Running Services	Applications listening on open ports	Service-specific vulnerabilities
Service Versions	Exact version numbers of running services	Version-specific exploits
Operating System	Detected OS and version	OS-specific attack vectors
Device Type	Identification of device purpose (router, server, etc.)	Target prioritization

Basic Nmap Scan

Let's start with a comprehensive scan of our target network:

root@kali:~# nmap -sS -A -T4 192.168.222.1/24 Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-08 10:30 UTC Nmap scan report for router.local (192.168.222.1) Host is up (0.0010s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.85 80/tcp open http nginx 1.18.0 (Ubuntu) 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) 8080/tcp open http-proxy Squid http proxy 4.13 MAC Address: 00:50:56:C0:00:08 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Nmap scan report for workstation.local (192.168.222.130) Host is up (0.0005s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.46 ((Unix)) 443/tcp open ssl/http Apache httpd 2.4.46 ((Unix)) 3306/tcp open mysql MySQL 8.0.23 MAC Address: 00:0C:29:45:67:89 (Apple) Device type: general purpose Running: Apple Mac OS X 10.15-10.16 OS details: macOS 10.15.7 - 10.16.0 (Darwin 19.6.0 - 20.0.0) Service Info: OSs: Unix, macOS; CPE: cpe:/o:apple:mac_os_x:10.15

Breaking down the Nmap options used:

-sS: TCP SYN stealth scan (fast and relatively stealthy)
-A: Enable OS detection, version detection, script scanning, and traceroute
-T4: Aggressive timing template for faster scanning
192.168.222.1/24: Target network range

Zenmap: The Graphical Nmap Interface

For those who prefer a graphical interface, Nmap offers Zenmap:

root@kali:~# zenmap

Zenmap provides:

Pre-configured scanning profiles for different scenarios
Visual network topology mapping
Saved scan results for comparison
Easy command customization through a graphical interface

[Image: Zenmap interface showing network scan results]

Step 4: Analyzing Scan Results for Vulnerabilities

The real value of network scanning comes from analyzing the results to identify potential security issues.

Service Version Detection

Knowing the exact version of running services is crucial because:

Specific versions may have known vulnerabilities
Outdated software often contains unpatched security flaws
Default configurations might be insecure

For example, if our scan reveals:

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 (CentOS) 443/tcp open ssl/http Apache httpd 2.4.6 (CentOS) 3306/tcp open mysql MySQL 5.5.68

We can research each service version for known vulnerabilities on platforms like:

Rapid7: Vulnerability & Exploit Database
CVE Details: Common Vulnerabilities and Exposures
Exploit-DB: Database of public exploits
NVD: National Vulnerability Database

Default Credential Attacks

Many devices, especially IoT equipment and network appliances, still use default credentials. When SSH is detected, we can attempt to connect using common defaults:

root@kali:~# ssh [email protected] [email protected]'s password: [try 'admin', 'password', '1234'] root@kali:~# ssh [email protected] [email protected]'s password: [try 'root', 'password', 'toor']

Common default credential combinations include:

Username	Common Passwords	Device Types
admin	admin, password, 1234	Routers, Switches, Access Points
root	root, toor, password	Linux systems, Embedded devices
user	user, 1234	Various network devices
guest	guest, (blank)	Guest access systems

Warning: Attempting to access systems without authorization is illegal. These techniques should only be used on systems you own or have explicit permission to test.

Advanced Nmap Techniques

Service-Specific Scanning

For more detailed information about specific services, we can use Nmap's scripting engine:

# Scan for HTTP/HTTPS specific information root@kali:~# nmap -sV --script http-enum,http-headers 192.168.222.130 # Scan for SMB shares and information root@kali:~# nmap -sV --script smb-enum-shares,smb-os-discovery 192.168.222.135 # Scan for MySQL information root@kali:~# nmap -sV --script mysql-info,mysql-users 192.168.222.130

Firewall Evasion Techniques

Nmap offers various techniques to bypass firewalls and intrusion detection systems:

# Fragment packets to evade detection root@kali:~# nmap -f 192.168.222.1 # Use decoy IP addresses to hide your real IP root@kali:~# nmap -D 192.168.222.100,192.168.222.101,192.168.222.102 192.168.222.1 # Use source port manipulation root@kali:~# nmap --source-port 53 192.168.222.1 # Use timing and delay to appear less suspicious root@kali:~# nmap -T2 --max-parallelism 1 192.168.222.1/24

Practical Applications in Security Assessments

1. Network Inventory and Asset Management

Regular scanning helps maintain an accurate inventory of all network-connected devices, which is essential for security monitoring and patch management.

2. Vulnerability Assessment

By identifying service versions and configurations, security teams can prioritize patching and hardening efforts.

3. Penetration Testing

Ethical hackers use network scanning to identify potential entry points and vulnerable services during authorized security assessments.

4. Incident Response

During security incidents, rapid network scanning can help identify compromised systems and unauthorized devices.

Best Practices for Network Scanning

Ethical Scanning Guidelines:

Always obtain explicit written permission before scanning
Schedule scans during maintenance windows to minimize disruption
Use appropriate scanning intensity based on network sensitivity
Document all scanning activities and results
Follow responsible disclosure if vulnerabilities are found

Protecting Against Network Reconnaissance

While discovery and scanning are essential for security professionals, organizations should also protect against malicious reconnaissance:

Defense Strategy	Implementation	Effectiveness
Network Segmentation	Divide network into segments with firewalls between them	High
Port Security	Close unnecessary ports and services	High
Intrusion Detection	Monitor for scanning activities and block suspicious IPs	Medium
Service Obfuscation	Change default banners and service responses	Low
Rate Limiting	Limit connection attempts from single sources	Medium

Conclusion

Network discovery and scanning are fundamental skills for both network administrators and ethical hackers. Tools like Netdiscover and Nmap provide powerful capabilities for understanding network topology, identifying connected devices, and uncovering potential vulnerabilities.

When used responsibly and with proper authorization, these techniques help organizations strengthen their security posture by identifying weaknesses before malicious actors can exploit them. The key is to balance comprehensive assessment with minimal network disruption while always adhering to ethical guidelines and legal requirements.

Key Takeaways:

Network discovery identifies all active devices on a network
Nmap provides detailed information about services, versions, and operating systems
Service version information helps identify potential vulnerabilities
Default credentials remain a common security issue
Always obtain proper authorization before scanning any network
Regular scanning helps maintain network security awareness

By mastering network discovery and scanning techniques, security professionals can better protect their organizations while ethical hackers can more effectively identify and help remediate security vulnerabilities.