In this section, we will look at scanning subnets, and performing recon of a network using Nmap. Nmap is the Swiss army knife of recon, discovery, and identification of hosts and services in a network. Before we go in and run scans, let's take a look at how Nmap works.

Ping sweeps are very handy when it comes to discovering live hosts in a network. This type of scan involves sending an ICMP ECHO Request to each host in the network and then identifying which ones are alive based on the responses:

From the diagram, we can see that some hosts responded with an ICMP ECHO Reply, whereas some did not. Based on which hosts replied, we can identify which hosts are alive.

In a ping sweep scan, we provide Nmap with a network range, typically, a network address and its subnet in CIDR form. Our AWS machines are hosted in the default subnet of AWS. The subnet is designated as 172.31.0.0/20. This means the network address is 172.31.0.0 and 20 is the CIDR value. In other words, the network's subnet mask is 255.255.255.240 and can hold a total of 4094 IP addresses. 

Let's go ahead and perform a ping sweep inside our network. In order to do so, we will use the -sn flag of nmap. The -sn flag instructs nmap to perform a ping scan and the 172.31.0.0/20 input tells nmap that it is a network range. SSH into the Kali machine and issue the following command:

sudo nmap -sn 172.31.0.0/20

The output of the preceding command is as follows:

From the output, we can see nmap has identified five hosts that are alive. Not including the 172.31.0.1 and the 172.31.0.2 addresses, we can see there are three hosts in the network that are alive: our Kali machine, the vulnerable Windows machine, and the Ubuntu machine.

Next, we'll learn how to scan for open ports and identify services on a particular host.