Apps & Packages

Network Scanning Tools (part 2)

In this second article we continue to look at Network Scanning / Mapping tools that are available for Pentesting and Ethical Hacking.

A few weeks ago we launched a Poll asking about your preferred tool you consider to be your Top Network Scanner. Here we examine options 6-10 to see what they are about, key features, and some examples. To see the article on options 1-5 check out Network Scanning Tools (part 1).


Below is a description of this tool according to the author:

Netdiscover is a network address discovering tool, developed mainly for those wireless networks without DHCP* server, it also works on hub/switched networks. Its based on ARP** packets, it will send ARP requests and sniff for replies.


* DHCP – Dynamic Host Configuration Protocol
** ARP – Address Resolution Protocol

A further explanation is:

Netdiscover is an active/passive ARP reconnaissance tool, initially developed to gain information about wireless networks without DHCP servers in wardriving* scenarios. … Built on top of libnet and libpcap, it can passively detect online hosts or search for them by sending ARP requests.

* Wardriving – searching for wireless networks, usually in a moving vehicle, using a laptop or smartphone.

Example of a netdiscover -i wlan0 request to find hosts connected to the same network. MAC Addresses have been blurred for privacy.

For further detail on this tool please checkout the following resources:


Nmap (Network Mapper) is a utility for network discovery and security auditing. It uses IP packets to determine available hosts on a network together with the services being offered, the O.S. (Operating System) they are running, packet filters/firewalls in use, and other characteristics.

Example of nmap performing a scan with option -A (Enable OS detection, version detection, script scanning, and traceroute detection) for a single host on the local network. MAC Address and finger print have been blurred for privacy.

For further detail on this tool please checkout the following resources:


Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.


Although this tool is a Framework and has a look ‘n’ feel similar to Metasploit, the author points out that recon-ng is not a competitor but rather it is designed specifically for web-based reconnaissance.

The Recon-ng Framework contains a number of modules that require credentials (API keys, OAuth access tokens etc) in order to access third-party resources.

Recon-ng uses Python and there is a Development Guide containing information for those interested in building/maintaining modules.

Example (part A) of recon-ng startup, installing & loading whois_miner module then displaying module information.
Example (part B) of setting recon-ng parameter for whois_miner module then re-displaying information and running the module itself.

For further detail on this tool please checkout the following resources:


A very simple, yet effective tool designed to be used in the early stages of a penetration test. Use it for open source intelligence* gathering and helping to determine a company’s external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources.


* Open Source Intelligence – OSINT

An alternative description which expands upon ‘public data sources’ explains that:

theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).

On the homepage there are two sections listing the Passive and Active public data sources used by the tool.

theHarvester uses a number of modules (e.g. bing, github, hunter, intelx and others) that require API keys to be setup. Documentation about this can be found here.

Example of theHarvester being run and specifying the source ‘google’ to search in as well as the domain ‘’ to search for.

For further detail on this tool please checkout the following resources:


Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.
You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).
Example of wireshark analyzing local network traffic using wireless adapter wlan0. Some IP and Mac Addresses have been blurred for privacy.

For further detail on this tool please checkout the following resources:

If you want to participate in our poll then please go to the Top Network Scanner page.

If you have any questions or comments on the above please feel free to add them below.

Leave a Reply