Which method is typically used to discover reachable hosts behind a firewall by sending ICMP Echo requests?

Direct TTL Probes rely on sending ICMP Echo requests with controlled TTL values to reveal hosts beyond a firewall. By setting a low TTL, probes either die at an intermediate router (producing Time Exceeded messages) or reach the actual destination, where an Echo Reply can confirm reachability. This approach helps identify which internal hosts are reachable from outside the firewall and can help map what lies beyond filtering. The other options aren’t about discovering hosts behind a firewall using ICMP Echo in the same way: IP Address Decoy is about spoofing addresses to mislead defenses; a packet builder is just a tool for crafting packets; and Source Routing concerns route selection rather than discovering internal hosts via ICMP.