tips tools reconnaissance

SecurityTrails Blog · Aug 22 · SecurityTrails team

Top 7 IP Scanner Tools for Network Mapping

Reading time: 11 minutes

IP scanning, or IP mapping, is one of the oldest and most traditional tasks performed by people in all types of IT roles, from system administrators and network engineers to security researchers. When you’re working with a company with a large number of connected networks, managing all that IP address allocation could be somewhat tricky.

That’s why having a clear map of your IP address space enables you to identify your network parts quickly, and at the same time helps you manage the whole network in a more efficient way.

For security researchers, it’s the starting point of identifying potential vulnerable sub-networks and IP addresses, for performing deep reconnaissance tasks such as OS and service scanning, vulnerability scanning, and more.

That’s why today we’ll show you the top 10 IP scanner tools for better network management and IP address discovery-mapping.

7 Best IP scanner tools

Let’s take a look at the top IP scanner tools used by system administrators, network engineers and penetration testers.

1. Nmap IP Scanner

We can’t put any other tool in the number 1 spot. Nmap has been and will probably remain our favorite hacking tool for infosec research tasks, and that includes IP scanning as well.

We’ve written about Nmap before, back when we explored the best port scanners and showed how easy it is to scan any host when you’re seeking critical information such as open ports, OS version, and other pertinent details.

What many people don’t realize is that Nmap is the perfect tool for a network IP audit. So let’s use some Nmap commands and begin the process of discovering all the servers behind the network.

Here, we’re going to skip all port scans, using an option called “skip port scan”:

nmap -sP 192.168.1.0/24

This is the expected output:

[root@research ~]# nmap -sP 192.168.1.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-19 14:18 -03
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0070s latency).
MAC Address: 8C:E1:17:D9:75:04 (zte)
Nmap scan report for brw707781769aef (192.168.1.5)
Host is up (0.11s latency).
MAC Address: 70:77:81:76:9A:EF (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.6 (192.168.1.6)
Host is up (0.17s latency).
MAC Address: 02:0F:B5:22:90:9C (Unknown)
Nmap scan report for 192.168.1.250 (192.168.1.250)
Host is up (0.081s latency).
MAC Address: 02:0F:B5:1C:48:C6 (Unknown)
Nmap scan report for research (192.168.1.2)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.50 seconds
[root@research ~]#

As you can see, no port scanning has taken place—instead we used Nmap to ping hosts and get a response from each one of them. This type of IP scanner feature is also called “ping sweep” or “ping scan”.

Performing this same scan on an Internet-connected server can yield a lot of interesting results.

[research@securitytrails.com:~]nmap -sP 208.xxx.252.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-19 13:24 EDT
Nmap scan report for xxx.xxx.ny1.xxxxx.net (208.xxx.xxx.49)
Host is up (0.00083s latency).
Nmap scan report for 208.xxx.xxx.51.provider.com (208.xxx.xxx.51)
Host is up (0.00034s latency).
Nmap scan report for 208.xxx.xxx.52.provider.com (208.xxx.xxx.52)
Host is up (0.00026s latency).
…
…
...
Nmap done: 256 IP addresses (48 hosts up) scanned in 10.28 seconds
[research@securitytrails.com:~]

Nmap can be installed in CentOS/RHEL and other Red Hat-based distros by using:

yum install nmap

If you’re using Ubuntu/Debian, then this should do the trick:

apt-get install nmap

2. ARP Scan

The ARP Scan Tool is another great resource for creating a full IP address map of any network. Arp-scan is quite useful for discovering all hosts within a specific network, even those that are protected behind firewalls.

Installing this tool in Red Hat-based systems merely requires you to run:

yum install arp-scan

Same for Debian/Ubuntu-based distros:

apt-get install arp-scan

To perform an IP scan with this IP scanner tool, you’ll need to run the following command:

arp-scan 192.168.1.0/24

This is the expected output:

[research@securitytrails.com ~]# arp-scan 192.168.1.0/24
Interface: wlp2s0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 8c:e1:17:d9:75:04 (Unknown)
192.168.1.5 70:77:81:76:9a:ef Hon Hai Precision Ind. Co.,Ltd.
192.168.1.7 f4:f5:d8:4e:26:8c Google, Inc.
192.168.1.3 02:0f:b5:95:4e:20 (Unknown)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.890 seconds (135.45 hosts/sec). 4 responded
[research@securitytrails.com ~]#

If you’re working with a wireless network, you can also specify the type of network to scan by using:

arp-scan --interface=wlan0

This will let arp-scan scan the interface wlan0; you can replace that with your real interface name. Here’s a quick example:

[research@securitytrails.com ~]# arp-scan -interface=wlp2s0 -localnet
Interface: wlp2s0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 8c:e1:17:d9:75:04 (Unknown)
192.168.1.5 70:77:81:76:9a:ef Hon Hai Precision Ind. Co.,Ltd.
192.168.1.7 f4:f5:d8:4e:26:8c Google, Inc.
192.168.1.3 02:0f:b5:95:4e:20 (Unknown)
192.168.1.6 02:0f:b5:22:90:9c (Unknown)
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.902 seconds (134.60 hosts/sec). 5 responded
[research@securitytrails.com ~]#

3. Angry IP Scanner

Angry IP Scanner is one of the most popular IP address scanner tools available. It isn’t command line-based, but GUI-based instead, letting you scan your network from a fancy visual interface. You’ll be able to scan IP addresses to detect live hosts, and at the same time gather critical information about each one of them.

The only requirement to make it work in Linux is having Java installed, which is easy in most distributions.

Installation on Linux can be performed by downloading the pre-compiled packages from this link¹

Then install Java and the RPM or Deb package, as follows:.

CentOS/RHEL/Fedora:

yum install jre -y
rpm -i ipscan-3.6.0-1.x86_64.rpm

Ubuntu/Debian

apt-get install gdebi
gdebi ipscan_3.6.0_i386.deb

Once you’ve launch it from your desktop, you’ll see an easy-to-use interface that will allow you to scan IP ranges quickly, as shown here:.

Angry IP Scanner

4. Advanced IP Scanner

Advanced IP Scanner lets you scan your LAN and Wi-Fi network and give you real time information about all the connected devices. Apart from finding live hosts, it will also provide port scanning information, letting you build a complete IP address map of your entire network infrastructure.

Advanced IP Scanner features include:

  • Easy-to-use interface
  • Mac address detection
  • Fast network scanning speed
  • Can be run over remote desktop
  • Exports results into CSV format
  • Multi-platform support (Windows, Mac OSX and Linux)

Scanning an IP range is pretty easy: just launch the program, specify the range you want to scan and hit the Scan button. It will show you how many live hosts are found, as well as IP address, device description and assigned Mac address, as you see below:

Advanced IP Scanner

You can download this app from the official website.²

5. ARP command

Arp command³ is one of the most useful networking commands every network engineer, sysadmin and pentester should know about. Surprisingly, not all professionals are aware of this simple yet powerful command.

That’s why it’s nabbed the fifth spot in our list of the top IP scanner tools. ARP stands for Address Resolution Protocol, and is used to display or modify the kernel IPv4 network neighbor cache.

How does it work? Simple, just pass -a option to display the full list of all known IP addresses found in your local network. You’ll also be able to detect the exact ethernet device associated with all the IP addresses.

ARP Command

This test was run in a real cloud server and it’s super easy to find the IP neighbors from your own network. Here, a little blur-effect has been applied to hide the real hosts and IPs, but this is pretty enough to show you the hidden power behind the arp command as IP scanner tool.

6. Fping

Fping is a popular IP scanner tool, but for more than “scanning,” this IP mapping tool was created to improve the old-fashioned ping command (although it’s somehow different). Fping utilizes ICMP echo requests to check if a remote host is live or not. Unlike the classic ping command, fping can be run against a large number of hosts and IP ranges. And that’s why so many system administrators and network engineers have chosen it as the perfect tool to quickly check how many hosts are live within a specified network.

You can pass several IP addresses or ranges, or make fping parse a text file and launch the ICMP echo request against each one of the listed IP addresses, or IP-range, as well as subnets.

Installation of fping on CentOS/RHEL distros:

yum install fping -y

For Debian/Ubuntu-based distros simply run:

apt-get install fping

How can you use it? Easy, just type:

fping -s -g 192.168.1.2 192.168.1.252

That’s against an entire IP range; you can also specify a single IP instead.

At the end, it will display several useful stats about the results:

251 targets
6 alive
245 unreachable
0 unknown addresses
245 timeouts (waiting for response)
987 ICMP Echos sent
6 ICMP Echo Replies received
980 other ICMP received
0.10 ms (min round trip time)
80.4 ms (avg round trip time)
185 ms (max round trip time)
11.730 sec (elapsed real time)
[research@securitytrails.com ~]#

7. SecurityTrails IP Scanner

Classic command line tools are great, as well as others that include visual interfaces, but they often come with disadvantages when you’re using them to scan remote networks. There’s actually a better way to do it, without the risk of getting blocked by firewalls or IDS.

Our SecurityTrails products involve IP exploration as the #1 basic feature, when you need to know the IP address of any domain name, when analyzing the open ports of an IP address, or when you need to get the associated domains or IP neighbors of any IP address.

That’s why it’s easy for us to show you all the information you need for a specific IP address. Let’s take a look:

SecurityTrails IP Scanner

You can also explore IP neighbors by clicking the ‘IP Neighbors to 8.8.8.8’ button. This option will display all the IP neighbors for the specified IP address, as shown in this screenshot:

SecurityTrails IP Scanner IP Neighbors

Our free app and manual IP lookups will help you get IP scan results in seconds; however, when you need to automate the entire process, you’ll need the power of our SecurityTrails API.

Performing an IP scan with the SecurityTrails API

If you’re a developer or you’re working with a team of developers in your organization, you can take advantage of our IP scanning features and integrate this into your own applications.

For this goal, we offer the X endpoint, which will allow you to retrieve IP information within seconds by querying our intelligent API. This can be done with a simple request against our HTTP-based query system, using any client—such as curl, for example:

curl --request GET \
--url 'https://api.securitytrails.com/v1/ips/nearby/8.8.8.8?apikey=your_api_key'

Just replace “your_api_key” with your real API key.

You can also integrate this with many popular programming languages like Python, Javascript, NodeJS, Go, PHP, etc. Here’s an example with Python:

import requests
url = "https://api.securitytrails.com/v1/ips/nearby/8.8.8.8"
querystring = {"apikey":"your_api_key"}
response = requests.request("GET", url, params=querystring)
print(response.text)

SurfaceBrowser Total IP Blocks

If you want to take another step forward with access to the full IP blocks of any company, SurfaceBrowser™ is the perfect tool for your IP scanner tasks.

Let’s see how you can get the full IP address space of any organization within seconds.

As shown, you’ll get the total IP blocks for facebook.com in a single place. This includes a few summaries that reveal information ordered by the regional registrar.

In this case, the RR includes records from: ARIN (105), AT&T Bell Laboratories (50), RIPE NCC (35), PSINet (25), APNIC (18), AFRINIC (2).

You’ll also be able to get the full IP stats by IP subnet size, as well as the full information for each IP block, including IP count, unique user agents, RIR, hostnames and number of associated domains.

SurfaceBrowser Total IP Blocks

Once you’ve finished locating all the IP blocks you need, you can explore any of the blocks by clicking the IP and its subnet, where you’ll find details such as IP count, bitmask, base IP, broadcast IP, mask, host mask, service provider like ASN, organization and company behind this network.

SurfaceBrowser Total IP Blocks Explore

Conclusion

Clearly, there are a lot of IP scanner tools from which you can choose. Managing a large IP space can be quite complex if you’re not relying on any of them.

If you’re part of the infosec community, an IP scanner toolkit could be your best asset for automating your OSINT and intel-reconnaissance tasks.

Take safety and security to the next level: automate all your IP address exploration by using our powerful API. Sign up today for a free API account or book a demo with our sales team to test SurfaceBrowser™, our enterprise-grade product that will reveal the entire attack surface area of your company, including all of its IP address space.


¹ https://angryip.org/download/#linux
² https://www.advanced-ip-scanner.com
³ https://www.cisco.com/c/en/us/td/docs/routers/crs/software/ip-addresses/command/reference/b-ip-addresses-cr-crs/b-ipaddr-cr-crs_chapter_010.pdf