You have plugged a test laptop into an unused switch port on the client's 10.20.30.0/24 network. The internal firewall drops ICMP echo traffic, and you must quickly enumerate which IP addresses are actually in use so you can focus subsequent scans. Which host-discovery technique will provide the most reliable results on this local subnet?
Sweep the range with ARP requests and collect any MAC-address replies
Query public certificate-transparency logs for the organization's domains
Attempt an internal DNS zone transfer to list hostnames
Perform a TCP SYN probe against port 80 on every address in the range
Sending ARP requests to every address (-PR in Nmap or an arp-scan sweep) is the fastest and most dependable way to discover live hosts on the same Layer-2 segment. Devices must reply to ARP to communicate, so this method works even when ICMP echo requests are filtered. A TCP SYN scan depends on specific ports being open and takes longer; certificate-transparency queries or DNS zone transfers enumerate names but do not confirm whether a system is currently online.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What kinds of probes are typically used to detect active systems in a large IP range?
Open an interactive chat with Bash
Why is focusing on active systems important before further reconnaissance?
Open an interactive chat with Bash
How do ICMP scans differ from TCP/UDP scans when identifying active systems?