Cyber Security: What is a ping sweep?

EJN Labs

A ping sweep is a basic network reconnaissance technique in which an automated tool sends ICMP echo request packets to a range of IP addresses and records which hosts respond. The result is a list of live, reachable systems on the target network, used as the starting point for deeper scanning.

How a ping sweep works

The tool iterates through each address in a defined range (for example, 192.168.1.0 to 192.168.1.255) and issues an ICMP echo request to each one. Devices configured to respond to ICMP send an echo reply, confirming they are powered on and routable. The scanner records the responding addresses and discards silent ones. Some tools also send TCP SYN to common ports or ARP requests on the local segment to detect hosts that ignore ICMP.

Common tools

Nmap is the most widely used scanner; the command nmap -sn 192.168.1.0/24 performs a ping sweep without port scanning. Other tools include fping, hping3, and Angry IP Scanner. On Windows networks, the built-in arp -a command after sending an initial broadcast also reveals reachable hosts on the local subnet.

Use in penetration testing

Ping sweeps appear in the earliest reconnaissance phase of internal network engagements, where the tester needs to understand which addresses are populated before investing time in port scans or service enumeration. The technique is fast, low-noise on a well-tuned network, and easy to repeat. On external engagements, ping sweeps are less useful because most organisations block inbound ICMP at the perimeter; targeted TCP and UDP probes are used instead.

Detection and defence

Intrusion detection systems flag sweeps when they observe one source contacting many addresses in a short window. Defenders can reduce attack surface by blocking ICMP echo at the perimeter, by restricting which internal hosts respond, and by network segmentation so a single compromised host cannot see the entire estate. None of these prevent reconnaissance entirely, but they slow it and create detection opportunities.

Related terms

See also: port scanning, Nmap, and ARP scan.

Leave a Reply

Your email address will not be published. Required fields are marked *

EJN Labs

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top