Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway (-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is almost certainly not reachable.

S

----------------------------------------
> Date: Mon, 2 Jan 2012 12:03:42 -0500
> Subject: Re: Nmap
> From: juan.quine (at) gmail (dot) com [email concealed]
> To: pen-test (at) securityfocus (dot) com [email concealed]
>
> Sorry for the late answer...
>
> But when you scan for machines that do not answer to ping (it means
> answer with an echo reply for each echo request), you could try using
> timestamp, and will return timestamp reply, and also information
> request and wait for an information reply
>
> Both coould be useful also to detect equipments that do not answer to
> ping. And if you want something more "noisy" maybe a network discovery
> or a -P0 option.
>
> Here is a summary of message types with their port (for ICMP protocol).
>
> 0 Echo Reply
> 3 Destination Unreachable
> 4 Source Quench
> 5 Redirect
> 8 Echo
> 11 Time Exceeded
> 12 Parameter Problem
> 13 Timestamp
> 14 Timestamp Reply
> 15 Information Request
> 16 Information Reply
>
> More detail on: http://www.faqs.org/rfcs/rfc792.html
>
> Hope it will be useful.
>
> Regards,
>
> Juan Pablo.
>
> On Sun, Oct 2, 2011 at 4:35 PM, John M. Martinelli
> wrote:
> > This would work but it would be kind of "noisy" to open port scan
> > every host. Also probably a little more time consuming.
> >
> > Adding in syn scan or open port scan will create more time required as
> > we're now looking for open ports. What if all ports are closed? Will
> > it respond to a certain type of ICMP?
> >
> > I think a great question to ask is: "What is the least-impactful way I
> > can very quickly determine what hosts are alive?" without a
> > traditional ping sweep.
> >
> > On Sat, Oct 1, 2011 at 10:37 PM, Jeffory Atkinson wrote:
> >>
> >> All depends on what you are trying to achieve. I would assume that you are not concerned about monitoring devices seeing you have done a ping sweep with nmap. I agree with others a port scan is going to give you the best idea if a host is active. There are Many instances filtering devices can drop icmp or respond for hosts behind them. Open ports and services are the best identifiers. A port has to be open in some form (open or filtered) to interact with in-bound connections. I would recommend a -sS (syn) scan you can opt for standard services or add -p1- for all 65k+ ports. All ports will verify and services/demons running. There are other options if bandwidth is an issue.
> >>
> >>
> >> On Sep 30, 2011, at 5:17 PM, Ukpong wrote:
> >>
> >> > Can somebody suggest the best NMAP commands for identifying hosts that
> >> > are not responding to ICMP ping requests ?
> >> >
> >> > ------------------------------------------------------------------------

> >> > This list is sponsored by: Information Assurance Certification Review Board
> >> >
> >> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> >> >
> >> > http://www.iacertification.org
> >> > ------------------------------------------------------------------------

> >> >
> >>
> >> ------------------------------------------------------------------------

> >> This list is sponsored by: Information Assurance Certification Review Board
> >>
> >> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> >>
> >> http://www.iacertification.org
> >> ------------------------------------------------------------------------

> >>
> >
> > ------------------------------------------------------------------------

> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------

> >
>
>
>
> --
>
> ===============================================
> |_|0|_| Ing Juan Quiñe, CISSP, OSCP, GISP, ISO 27001 LA, Cobit-F.
> |_|_|0| visita: http://hackspy.blogspot.com/
> |0|0|0| a.k.a. HaCKsPy - from Security Wari Projects, now PeruSEC
>
> "... hacking is a way to live your life, not a day job or semi-ordered
> list of instructions found in a thick book ..." Anthony Bunyan
> "... Live your life as if you will die tomorrow but learn as if you
> will live forever ..." Mahatma Gandhi
> "... Romper un sistema de seguridad los acerca tanto a ser hackers
> como encender autos puenteando cables los convierte en ingenieros
> automitrices ..."
> "... Nada es tan importante, ni tan urgente que no pueda ser hecho con
> seguridad ..."
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]