Home > Features > Network Scanners

Network Scanners

The network scanners connect your Biscuit device to a WiFi network and scan for devices and services on the local network from the inside. This is different from the WiFi scanning modes (which passively monitor the airwaves from the outside) – these tools actively join a network and probe it.


How It Works

  1. Navigate to WiFi Tools > Scanners tab.
  2. Choose a scan type.
  3. Enter the WiFi SSID (network name) and password of the network you want to scan.
  4. Tap Start.

The Biscuit device connects to the specified WiFi network using the provided credentials, then performs the selected scan against all reachable hosts on the local network. Results appear in real-time as hosts are discovered.

Your WiFi credentials are saved locally in the app so you do not need to re-enter them each time.

Note: The device must be able to connect to the target network. Make sure the SSID and password are correct and that the network is within range.


Ping Scan

Send ICMP echo requests (pings) to discover alive hosts on the network.

What it does: Sends a ping to every IP address in the local subnet and reports which ones respond. This is the fastest way to find out what devices are on a network.

What you see: A list of IP addresses that responded, along with response times.

Tips:

  • Some devices (especially IoT devices and firewalled hosts) may not respond to ICMP pings. Use ARP Scan if you suspect there are hidden devices.
  • Ping scan is a good starting point before running more detailed scans.

ARP Scan

Send ARP (Address Resolution Protocol) requests to discover devices at the link layer.

What it does: Sends ARP requests across the local network to map IP addresses to MAC addresses. ARP operates at a lower layer than ICMP, so it can discover devices that do not respond to ping.

What you see: A list of discovered devices showing:

  • IP Address – The device’s IP address on the network
  • MAC Address – The device’s hardware MAC address
  • Vendor – The manufacturer name (identified from the MAC address OUI database)

Tips:

  • ARP scan is more thorough than ping for device discovery because devices must respond to ARP requests to communicate on the network – they cannot simply ignore them like they can with ICMP.
  • The vendor name can help you identify what a device is (e.g., “Apple” for iPhones, “Amazon” for Echo devices, “Espressif” for ESP32-based IoT gadgets).

Port Scan

Scan TCP ports on discovered hosts to find running services.

What it does: Probes common TCP ports on each host to determine which ones are open and accepting connections. Open ports indicate running services.

What you see: For each host, a list of open ports and the services they typically correspond to. Common examples:

Port Service
22 SSH (Secure Shell)
23 Telnet
53 DNS
80 HTTP (Web Server)
443 HTTPS (Secure Web Server)
554 RTSP (IP Cameras)
3389 RDP (Remote Desktop)
8080 HTTP Alternate

Tips:

  • Port scanning takes longer than ping or ARP scans since it must attempt connections to multiple ports on each host.
  • You can optionally filter to scan only hosts that were previously discovered by a ping or ARP scan, which saves time.
  • Finding unexpected open ports (like Telnet on a modern device) can indicate security issues worth investigating.

SSH Scan

A quick, targeted scan specifically for SSH services (port 22) across the network.

What it does: Checks every host on the local network for an open SSH port. This is faster than a full port scan when you only need to find SSH-accessible devices.

What you see: A list of IP addresses with SSH port 22 open, along with their MAC addresses and vendor names.

Tips:

  • SSH is the standard remote management protocol for Linux servers, routers, and many IoT devices.
  • Finding SSH on unexpected devices can indicate misconfiguration or devices that warrant closer security review.

Telnet Scan

A quick, targeted scan specifically for Telnet services (port 23) across the network.

What it does: Checks every host on the local network for an open Telnet port. Telnet is an older, unencrypted remote access protocol that transmits credentials in plain text.

What you see: A list of IP addresses with Telnet port 23 open, along with their MAC addresses and vendor names.

Tips:

  • Telnet is commonly found on IoT devices, legacy network equipment (older routers and switches), and embedded systems.
  • Telnet sends all data (including passwords) in plain text, making it a significant security risk. Devices with open Telnet ports should be flagged for security review.
  • Many IoT botnets (like Mirai) spread by scanning for devices with open Telnet ports and default credentials.

General Tips

  • Start with a Ping or ARP scan to discover what is on the network, then use Port, SSH, or Telnet scans to dig deeper into specific hosts.
  • ARP scan is more reliable than ping for initial discovery, especially on networks with firewalled devices.
  • WiFi credentials are saved between scans, so switching between scan types is quick.
  • These scanners connect the Biscuit device to the target network. While connected, the device is visible to other devices on that network. Keep this in mind during stealth assessments.