Ethical Hacking Series: 1. Network Mapping and Target Identification using ArpScan, Nmap and Zenmap

Share At:

Ethical Training in Surat | Learn Cyber Security course in Surat


One of the first phases of a network security assessment is to network mapping which identifies devices on the network. In this Lab, we will use a variety of tools in Kali Linux to map out a local network to identify targets by discovering hosts on the network. We will understand the difference between how tools scan local networks and remote networks. We will also understand the detection capabilities of each approach. 

Lab Objectives

Upon completion of this Lab you will be able to:

  • Scan for active network devices using the following tools:
    • The ARP Scanner (command line tool)
    • Nmap (command line tool)
    • Zenmap (graphical user interface)
  • Understand the approaches taken for scanning local networks versus remote networks including the request type packets

Network Mapping Using The ARP Scan Tool


The Lab host includes a Kali Linux virtual machine. Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. Kali Linux includes several network scanning tools. In this Lab Step, we will focus on the ARP scanner arp-scan.

arp-scan uses Address Resolution Protocol (ARP) packets to discover all active IPv4 devices in a local network. Devices must respond to ARP requests or else they cannot communicate on the network. This holds true for both ethernet (wired) or wifi connected devices. This makes arp-scan an effective tool at discovering devices even if protected by a firewall designed to hide their presence.

  1. At the prompt type the following command and press enter to issue the command:
arp-scan --localnet

After a couple of seconds, arp-scan completes scanning the local network (IPv4 addresses in the range of – The IPv4 address followed by the MAC address of each device is displayed in the output table. The network gateway with IP address of is discovered along with the network interfaces of two other virtual machines.

  1.  Display the manual for arp-scan to see where you can learn more:
man arp-scan


In this Lab Step, we used arp-scan to discover all devices on the local network. arp-scan can effectively discover all active IPv4 devices because it uses ARP packets which devices must respond to in order to communicate over the network. ARP is not routable so scanning is restricted to local networks when using ARP.

Network Mapping Using Nmap


Nmap is a well-known network scanning tool. It can be used for a multitude of security purposes. This Lab Step focuses on using nmap to discover hosts on the local network. When used to discover hosts on a local network nmap will use ARP due to its efficiency over IP packets for discovery.

When used to discover hosts outside of the local network, nmap will use IP-based requests including ICMP (ping requests) and TCP. This makes nmap a more versatile tool than arp-scan for discovering hosts. nmap is also compatible with IPv6.


1. In your Kali Linux terminal, enter the following command to discover hosts on the local network:

nmap -sn is the CIDR notation for the local network IPv4 address range. The output summary shows that 4 hosts are upnmap includes the Kali Linux host you are currently using ( with IPv4 address of Besides that, nmap discovers the same hosts that arp-scan did.

2. Open a second terminal window by clicking File > New Window:


3. In the new terminal window, issue the following command:

tcpdump -i eth0 arp

The given tcpdump command outputs any arp traffic on the eth0 network interface (the interface used to communicate on the network). This will give you insight into what nmap is doing to discover hosts.

4. In the first terminal window, re-issue the following command:

nmap -sn
5. Watch the output being written to the second terminal window:

We can see that nmap is indeed using ARP packets to discover hosts when scanning the local network. The output shows nmap sequentially sends ARP requests to each IP address on the local network to perform the host discovery.


In this Lab Step, we used nmap to discover hosts on the local network. Similar to arp-scannmap uses ARP to discover hosts on the local network because it is more efficient and effective. However, when discovering hosts outside of the local network nmap is able to use other types of requests making it more versatile than arp-scan.

Network Mapping Using Zenmap


Zenmap is an official cross-platform graphical user interface (GUI) for Nmap. Zenmap makes it easier to begin using Nmap and also providing features useful for advanced users. It offers a variety of convenient features including:

  • Save frequently used scans
  • Interactive command creator
  • Save scan results for later viewing
  • Compare two scan results by highlighting their differences
  • Recent scan results are indexed in a searchable database

In this Lab Step, we will familiarize ourselves with Zenmap and use it to discover hosts on the local network.


1. Click the eye icon in the left toolbar to open Zenmap:


Alternatively, you can open Zenmap from the terminal by entering zenmap.

The Zenmap GUI appears:

The GUI includes elements for constructing and issuing nmap commands at the top including:

  • Target: The target specification you are considering, such as the local subnet
  • Profile: A list of saved commands to choose from
  • Command: The command to run. This can be generated using a profile or manually entered.
  • Scan: Issue the command to begin the scan
  • Cancel: Cancel a running command

The lower portion of the GUI is for presenting scan results.

2. Select Ping Scan from the Profile drop-down menu:


Notice the Command changed to nmap -sn. This is the same command we used to scan the local network. When targetting a local network ARP packets are used instead of ICMP (Ping) packets.

3. Click Scan to run the command:

The Nmap Output tab displays the command that was issued in a drop-down menu with the command output below it. We can use the drop-down menu to select previously issued commands to view their output at your convenience. The output indicates that No targets were specified, so 0 hosts were scanned. Zenmap will not try to infer a target or use a default when one is not provided.

4. Enter in the Target field and click Scan


Notice the Target is automatically appended on the end of the Command. The output is updated:

The left panel parses the hosts that are discovered. The ARP scan doesn’t include any information to identify the operating systems (OS) so a question mark icon is shown in that column.

5. Click the Topology tab to view a network topology and then click one of the green nodes to draw the topology in a more readable format:

Using the output information, Zenmap draws a topology using the information it has available. Each ring represents a hop in the network.

6. Click the black node representing localhost:

Based on the scan results, Zenmap knows that all of the discovered hosts are one hop away from the host running the scan.


In this Lab Step, We learned how to use Zenmap, the official GUI for nmap, and interpret its results. 

Happy Learning !!

Share At:
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Back To Top

Contact Us