I have a simple method that I am using on four subnets to determine which registered IPs are actually up and active, and which ones can be removed.
Initially, I iterate through the list of domain names with this command:
sudo nmap -sS -O -v oN $filename $name
$filename
is my output file for that IP and $name
is the domain name that was read in.
From that command, for all IPs that reported 'host down', I run this command:
sudo nmap -Pn -sS -O -v -oN $filename $name
Note that the only difference here is that I am now assuming the host is up, just to see what comes back.
In all the cases I've seen thus far, however, all the ports that are scanned are filtered, and since the host is assumed to be up, I don't have a way to verify that it actually is up after this second scan is run.
Any other ideas?
1) Hopefully you don't need to passively gather that information.
You could listen for traffic with something like tcpdump, wireshark, firewall logging, etc... over time gathering information as systems transmit data or otherwise do their thing.
2) Switches
If you have neat switches, they might tell you a bunch.
3) ARP
Firewalled systems may still respond to ARP requests, so you can get them to show themselves. You really only need to know the IP is being used right? Not if it will respond to anything.
Perhaps this would work...
Or more in combination by using nmap or something to attempt a connection, then logging the ARP reply at the same time with wireshark, etc....
Best for last, nmap has Arp Mode. I've never tried it.
https://nmap.org/book/nping-man-arp-mode.html
4) DHCP
If any addresses are DHCP addresses, the DHCP leases will show when they were last renewed.
If Nmap is reporting "host down" then you can assume with a high probability that there is no host using that IP address. The probes that were chosen for the default host discovery will get a response from the vast majority of networked systems, and is even better for directly-connected (same network link) systems because of the use of ARP probes, which are a prerequisite for IP communication over Ethernet-style links. That is to say, if it won't respond to an ARP request, it cannot have an IP address.
You say, "since the host is assumed to be up, I don't have a way to verify that it actually is up," but the truth is, it is probably not up. In fact, if all ports are filtered, it is nearly conclusively down. For all intents and purposes, nothing is willing to communicate using that IP address, which is all that "down" means.
Lastly, your scans will be much quicker if you allow Nmap to scan hosts in parallel by providing multiple target specifications on the command line or via the
-iL
input file option instead of using a shell loop to scan each one individually. Even if you are using backgrounding (&
) to launch parallelnmap
processes, you cannot beat the speed of Nmap's own adaptive parallelism.