I have a simple method that I am using on four subnets to determine which registered IPs are actually up and active, and which ones can be removed.
Initially, I iterate through the list of domain names with this command:
sudo nmap -sS -O -v oN $filename $name
$filename
is my output file for that IP and $name
is the domain name that was read in.
From that command, for all IPs that reported 'host down', I run this command:
sudo nmap -Pn -sS -O -v -oN $filename $name
Note that the only difference here is that I am now assuming the host is up, just to see what comes back.
In all the cases I've seen thus far, however, all the ports that are scanned are filtered, and since the host is assumed to be up, I don't have a way to verify that it actually is up after this second scan is run.
Any other ideas?