Efficient Host Discovery on Local Networks
When scanning a target on the same Local Area Network (LAN) as your attacking machine, you can use techniques that rely on Layer 2 (Data Link) protocols, which are faster and sometimes less visible to basic network monitoring.
ARP (Address Resolution Protocol)
ARP is used to map an IP address to a physical MAC address on a local segment.
ARP Ping Scan
If you are on the same subnet as the target, you can send out ARP requests. Any host that replies is alive.
- Advantage: Faster than typical ICMP (ping) scans because it doesn't need to involve Layer 3 routing.
- Stealth: Often bypasses firewalls configured to block ICMP, as ARP operates at a lower network layer.
Nmap ARP Scan
Nmap automatically uses ARP scanning if you are running it on the local network and have root privileges.
bash nmap -PR 192.168.1.0/24