We can ping every IP address on a target network and see who would respond to our ping (ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0).
However, it is not always reliable as many firewalls block ICMP echo (e.g. Windows are configured to block ICMP echo by default)
Remember that an ARP query will precede the icmp request if we target is on the same subnetworks.
In the example below, we scanned the target’s subnet using nmap -PE -sn MACHINE_IP/24. This scan will send ICMP echo packets to every IP address on the subnet. Again, we expect live hosts to reply; however, it is wise to remember that many firewalls block ICMP.
With Wireshark, we can see that we have one source IP address on a different subnet than that of the destination subnet, sending ICMP echo requests to all the IP addresses in the target subnet to see which one will reply.
Because ICMP echo requests tend to be blocked, we might also consider ICMP Timestamp (ICMP Type 13 and ICMP Timestamp reply (Type 14)) or ICMP Address Mask requests to tell if a system is online:
Adding the -PP option tells Nmap to use ICMP timestamp requests:
Similar to the previous ICMP scan, this scan will send many ICMP timestamp requests to every valid IP address in the target subnet. In the Wireshark we can see one source IP address sending ICMP packets to every possible IP address to discover online hosts.
Similarly, Nmap uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18). This scan can be enabled with the option -PM.
If one type of packet is being blocked, we can always choose another to discover the target network and services.