Ping scans are typically used to find which IP addresses are in use on a network. There are, as we’re about to see, many reasons why one would need to do that. Traditionally, this task would be done by issuing successive ping commands and making note of the results. It is obvious that doing it that way is only practical with the smallest ranges of IP addresses.
When you have more than a few addresses to scan, you better resort to using a specialized scan tool. Nmap is one such tool and today, we’re having a look at using Nmap for ping scan.
We’ll start off our discussion by explaining what a ping scan is. And since it relies heavily on ping (who would have thought?) we’ll also give you some background information on the ping utility, what it is and how it works. We’ll then introduce Nmap, a free and open-source tools with several uses and tell you how to use it to perform a ping scan. Finally, we’ll have a look at a few other ping scan tools that you might want to try.
What Is A Ping Scan?
In a nutshell, a ping scan is the act of pinging each IP address in a given range or subnet to find which ones are responding and which ones aren’t. It sounds pretty boring and, to be truthful, it actually is. But there are several reasons why one would want to do that. One of them has to do with detecting rogue devices. They could be devices connected by malicious users to spy on your organization.
They could also be the act of users with perfectly good intentions. I once had this user who prevented many of his colleagues from accessing the network when he connected his home Internet router to it. He just needed a couple of extra ports to connect an additional test computer and thought he could use the switch built into his router. Unbeknownst to him, the router’s built-in DHCP server started assigning IP addresses from the wrong subnet to computers that were trying to connect to the network.
Other than security reasons, scanning IP addresses is also the first step of most manual IP address management processes. Many IP address management (IPAM) tools will include some form of IP address scanning but if you choose to take care of that manually, IP address scanning tools can come in handy. And for those who don’t have any IP address management process in place, scanning IP addresses is even more important. It will often be the only way to ensure that there are no IP address conflicts and it can be seen as a rather crude way of pseudo-managing IP addresses.
No matter why you want to scan IP addresses, most tools are based on ping so let’s have a look at this vintage utility. Ping was created out of necessity back in 1983. Its developer needed a tool to help in debugging abnormal network behaviour he was observing. Today, ping is present on almost every operating system although its implementation varies somewhat between platforms. Some versions are offering multiple command-line options which can include parameters such as the size of each request’s payload, the total test count, the network hops limit, or the interval between requests. Some systems also have a companion Ping6 utility that serves the exact same purpose as ping but for IPv6 addresses.
How Ping Works
Ping is a simple utility which sends ICMP echo request packets to the specified target(s) and waits for it(them) to send back an ICMP echo reply packet for each received packet. This is repeated a certain number of times—five by default under windows and until it is manually stopped by default under most other implementations—and it then compiles response statistics. It calculates the average delay between the requests and their respective replies and displays it in its results. On most *nix variants as well as on the Mac, it will also display the value of the replies’ TTL field, giving an indication of the number of hops between source and destination.
Here’s a typical use of the ping command on Linux (the “-c 5” option tells the command to run five times and then report on the results, mimicking Windows’s operation of the command):
$ ping -c 5 www.example.com PING www.example.com (220.127.116.11): 56 data bytes 64 bytes from 18.104.22.168: icmp_seq=0 ttl=56 time=11.632 ms 64 bytes from 22.214.171.124: icmp_seq=1 ttl=56 time=11.726 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=56 time=10.683 ms 64 bytes from 188.8.131.52: icmp_seq=3 ttl=56 time=9.674 ms 64 bytes from 184.108.40.206: icmp_seq=4 ttl=56 time=11.127 ms --- www.example.com ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 9.674/10.968/11.726/0.748 ms
For ping to work, the pinged host must abide by RFC 1122 which specifies that any host must process ICMP echo requests and issue echo replies in return. Most hosts do reply but some disable that functionality for security reasons. Firewalls often block ICMP traffic too. Pinging a host which does not respond to ICMP echo requests will provide no feedback, exactly like pinging a non-existent IP address. To circumvent this, many IP address scanning tools— is one of them—can use different types of packets to check if an IP address is responding.
Nmap—which stands for Network Mapper—is a free and open-source network scanner created by Gordon Lyon (A.K.A. Fyodor Vaskovich). It is primarily used to discover hosts and services on a computer network by sending various packets and analyzing responses. Nmap started as a Linux utility and was later ported to many other systems including Windows, Mac OS, and BSD.
Nmap provides a number of features for probing computer networks. These include host discovery as well as service and operating system detection. The tool’s features can easily be extended by scripts that provide more advanced service detection, vulnerability detection, and more. It easily adapts to various network conditions including latency and congestion during a scan.
Nmap was originally distributed under the GNU Public License (GPL). However, in later releases, the tool’s authors added clarifications and specific interpretations to the license where they felt the GPL was unclear or lacking.
Using Nmap For Ping Scans
Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used for ping scans. Despite its name, this technology goes well beyond the simple ICMP echo requests mentioned earlier. Using various options, you can skip the ping step entirely with a list scan (-sL) or by disabling ping (-Pn), or engage the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and ICMP probes.
No matter what method you use, the objective is always to demonstrate which IP addresses are actually active (being used by a host or network device). On most networks, only a small percentage of IP addresses are active at any given time. This is particularly common with private address space such as 10.0.0.0/8. This is used by many organizations of all sizes, many with much fewer devices than the 16.8 million IP addresses which are available in that address space. Some will have fewer than a thousand machines.
So, without going in too many details, here are a few ways that a typical ping scan can be performed using :
nmap scanme.nmap.org, nmap scanme.nmap.org/32 or nmap 220.127.116.11
Any of these three commands will do the same thing, assuming that scanme.nmap.org resolves to 18.104.22.168. They scan that one IP address and then exit.
nmap scanme.nmap.org/24, nmap 22.214.171.124/24, nmap 64.13.134.-, nmap 126.96.36.199-255
These four commands all instruct Nmap to scan the 256 IP addresses from 188.8.131.52 through 184.108.40.206. In other words, they ask to scan the class C sized address space surrounding scanme.nmap.org.
nmap 220.127.116.11/24 --exclude scanme.nmap.org,insecure.org
This command instructs Nmap to scan the class C around 18.104.22.168, but to skip scanme.nmap.org and insecure.org if they are found within that address range.
nmap 10.0.0.0/8 --exclude 10.6.0.0/16,ultra-sensitive-host.company.com
This one instructs Nmap to scan the whole private 10 range but to skip any IP address starting with 10.6 as well as the ultra-sensitive-host.company.com host.
We could go on forever with similar examples of the tool’s versatility. Nmap’s website (nmap.org) provides ample documentation on how to do just about anything with this powerful tool.
Some Other Tools You Can Use
As powerful as can be, it’s not the easiest tool to use and it’s also not the prettiest. It will get the job of scanning a subnet or a range of IP addresses done but, if this is something you intend to do on a regular basis—and you probably should—perhaps you’d like to have a look at some alternative tools we’ve reviewed for you.
First on our list is a tool from SolarWinds, maker some of the best network administration tools. The company is also known for its many free tools. When it comes to doing a ping scan, the SolarWinds Ping Sweep tool is simply one of the best products you can find. It is part of the SolarWinds Engineer’s Toolset, a bundle of more than 60 useful, Windows-based network management utilities, including Ping Sweep.
Using the SolarWinds Ping Sweep is super-easy. The tool has a graphical user interface where you enter the IP address range you want to scan. The range can be as big or as small as you want. You can even scan a discontinuous list of IP addresses from a text file. For instance, you could extract a list of assigned IP addresses from your DHCP server and use it as the tool’s input to see which ones are actually used.
- FREE TRIAL: SolarWinds Engineer’s Toolset (Including Ping Sweep)
- Official Download link: https://www.solarwinds.com/engineers-toolset/registration
The SolarWinds Ping Sweep tool will ping all the specified IP addresses and list those that responded. This could hardly be simpler. The results can be exported to several file types such as CSV, XML, or even a web page. That way, you can analyze the results using your own favourite tool. As for the results, they don’t only include the IP addresses of the responding hosts. The tool also shows you each address’ response time and it does a reverse DNS lookup to find and display their hostnames.
Prices for the SolarWinds Engineer’s Toolset–including Ping Sweep–start at $1 495. This is a per named user price and you’ll need one license for each named user. Considering all the other tools that are part for bundle this is well worth the investment – and don’t forget there’s a 30-day trial which you could take advantage of.
Other Tools In The SolarWinds Engineer’s Toolset
The SolarWinds Engineer’s Toolset includes many more dedicated troubleshooting tools. Tools like DNS Analyzer and TraceRoute can be used to perform network diagnostics and help resolve complex network issues quickly. For security-oriented administrators, some of the tools can be used to simulate attacks and help identify vulnerabilities.
The SolarWinds Engineer’s Toolset also features some excellent monitoring and alerting capabilities. It includes several tools to monitor your devices and raise alerts for availability or health issues. And finally, you can use some of the included tools for configuration management and log consolidation.
Here’s a list of some of the other tools you’ll find in the SolarWinds Engineer’s Toolset:
- Port Scanner
- Switch Port Mapper
- SNMP sweep
- IP Network Browser
- MAC Address Discovery
- Response Time Monitor
- CPU Monitor
- Memory Monitor
- Interface Monitor
- WAN Killer Network Traffic Generator
- Router Password Decryption
- SNMP Brute Force Attack
- SNMP Dictionary Attack
- Config Compare, Downloader, Uploader, and Editor
- SNMP trap editor and SNMP trap receiver
- Subnet Calculator
- DHCP Scope Monitor
- DNS Structure Analyzer
- DNS Audit
- IP Address Management
2. Angry IP Scanner
Despite being deceptively simple the Angry IP Scanner makes extensive use of multithreading, making it one of the fastest tools of its kind. It is a free multi-platform tool which is available for Windows, OS X, or Linux. Since the tool is written in Java, you’ll need to have the Java runtime module installed to use it. This is pretty much the tool’s only drawback. This tool will not only ping IP addresses, but it will also optionally run a port scan on discovered hosts. It can also resolve IP addresses to hostnames and MAC addresses to vendor names. Furthermore, this tool will provide NetBIOS information about each responding host.
The Angry IP Scanner can not only scan complete networks and subnets but also an IP addresses range or a list of IP addresses from a text file. Although this is a GUI-based tool, it also comes with a command-line version that you can use if, for instance, you want to include the tool’s functionality in your scripts. As for the scan results, they are by default displayed on the screen in table format but they can easily be exported to several file formats such as CSV or XML.
3. Advanced IP Scanner
Advanced IP Scanner may seem like just another free IP address scanning tool but it has an interesting twist. The tool, which runs on Windows, is totally geared towards that operating system and it features several Windows-related advanced functionalities. More about that in a moment. The tool’s publisher claims this free software is used by over 30 million users worldwide. It is a portable tool that requires no installation.
As for the tool’s functionality, it takes an IP address range as input but you can also supply a text file with a list of IP addresses. The results you get from this tool are impressive. You get, of course, the list of IP addresses that responded but you also get their corresponding hostname, MAC address and network interface vendor. For each responding Windows host, you also get a live list of its network shares. By live, I mean that you can click any share to open it on your computer—provided that you have the proper access rights. You can also start a remote control session with any discovered Windows host using either RDP or Radmin or even remotely turn a computer off.
4. Network Pinger
Network Pinger is another free Windows tool. Its interface is one of the most intuitive you can find. The tool’s performance is one of the best you can find. It was clearly optimized for the best possible performance. This tool can send 1000 pings in just 35 ms. This is fast; very fast. Network Pinger features several built-in tools. There’s automated mass ping, traceroute, port scanning, WMI, DNS and Whois queries, an IP calculator and converter, and many more.
Network Pinger makes great use of its graphical user interface and is loaded with visual features. For example, it can build live charts as it performs a ping sweep displaying a visual rendition of the important statistics such as a pie chart depicting the responding vs non-responding hosts or a graph showing average response times.
5. NetScan Tools
There are two different versions of NetScan Tools, a paid one called NetScan Tools Pro Edition and a free, ad-supported one called NetScan Tools Basic Edition with a reduced feature set. Both are toolsets which include multiple utilities and both include an IP address scanning tool called Ping Scan.
NetScan Tools’ Ping Scan takes an IP address range as input, like most other IP address scanning tools. It scans the provided IP addresses and returns a list of all the scanned IP addresses with their hostname (when resolvable), average response time and a status in text form. Other useful tools in NetScan Tools include DNS tools, Ping, Graphical Ping, Traceroute, and Whois. If all you need is the IP address scanning functionality, go with the free Basic Edition.
6. MiTeC Network Scanner
Last on our list is a free tool called the MiTeC Network Scanner. This is another multi-use tool. It boasts a powerful IP address scanning function which can find any responding host in the specified range. The software will list each found device’s MAC address, hostname, and response time. In addition to just pinging each host, this tool can also poll SNMP-enabled devices and list their interfaces. It can also identify Windows computers and let you see their shares, remotely shut them down, perform remote execution, and more.
But back to IP address scanning, the results show up as a table on the software’s dashboard. They can then be exported to a CSV file to be used with another tool. The tool will run on most modern versions of Windows—either workstation or server—since Windows 7. As for the tool’s other advanced features, there are simply too many to mention them all. It includes, for instance, a Whois function and a DNS resolution function.