Nmap – Host Discovery to Get MAC Address

nmap

I notice that nmap -sn is no longer provide the MAC address for remote host as discussed in Can I use nmap to discover IPs and mac addresses?

I would like to get something like netdiscover output. Just IP & MAC Address only.

Nmap version 7.80

wolf@linux:~$ nmap -V
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu

e.g.

wolf@linux:~$ nmap -sn -oG - 10.10.10.*
# Nmap 7.80 scan initiated Wed May 20 12:38:57 2020 as: nmap -sn -oG - 10.10.10.*
Host: 10.10.10.1 () Status: Up
Host: 10.10.10.2 () Status: Up
Host: 10.10.10.3 () Status: Up
# Nmap done at Wed May 20 12:38:59 2020 -- 256 IP addresses (3 hosts up) scanned in 2.25 seconds
wolf@linux:~$

Best Answer

1st of all, you won't be able to see MAC Address if -oG - being used (even with root/sudo).

user@linux:~$ sudo nmap -n -sn 10.10.10.* -oG -
# Nmap 7.60 scan initiated Sat May 29 12:10:09 2020 as: nmap -n -sn -oG - 10.10.10.*
Host: 10.10.10.1 () Status: Up
Host: 10.10.10.2 () Status: Up
Host: 10.10.10.3 () Status: Up
# Nmap done at Sat May 29 12:10:11 2020 -- 256 IP addresses (3 hosts up) scanned in 2.31 seconds
user@linux:~$

2nd, even after -oG - being removed, you still won't be able to see the MAC Address.

user@linux:~$ nmap -n -sn 10.10.10.*

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-29 12:11 +00
Nmap scan report for 10.10.10.1
Host is up (0.00086s latency).
Nmap scan report for 10.10.10.2
Host is up (0.0020s latency).
Nmap scan report for 10.10.10.3
Host is up (0.00082s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.71 seconds
user@linux:~$

Run it as root or with sudo so that nmap can send raw packets in order to get remote MAC

user@linux:~$ sudo nmap -n -sn 10.10.10.*

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-29 12:11 +00
Nmap scan report for 10.10.10.2
Host is up (0.00022s latency).
MAC Address: AA:AA:AA:AA:AA:02 (NIC manufacturer here)
Nmap scan report for 10.10.10.1
Host is up (-0.100s latency).
MAC Address: AA:AA:AA:AA:AA:01 (NIC manufacturer here)
Nmap scan report for 10.10.10.3
Host is up (0.00061s latency).
MAC Address: AA:AA:AA:AA:AA:03 (NIC manufacturer here)
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.60 seconds
user@linux:~$

Related Solutions

NMAP: Check if port 80 and 8080 is open

Your NMAP command is fine. It's the service you're trying to connect to that is the "problem".

You can find that a "server" has an open port on 80 or 8080 but still not be able to connect it. For instance, I have about three dozen polycom phones that are accessible at port 8080 but they have bum config files. When someone tries to access them at that port they aren't able to connect.

And it may depend on how you're trying to connect. Even though its port 8080 maybe you aren't supposed to use a browser to connect to it.(I know - crazy idea).

Find out what type of device you're trying to connect to using this (you'll need sudo or root):

nmap -sS -O -p80,8080 192.168.1.0/24

Nmap find all alive hostnames and IPs in LAN

nmap versions lower than 5.30BETA1:

nmap -sP 192.168.1.*

newer nmap versions:

nmap -sn 192.168.1.*

This gives me hostnames along with IP adresses, and only pings the hosts to discover them. This will only give you the hostnames if you run it as root.

EDIT: As of Nmap 5.30BETA1 [2010-03-29] -sP has been replaced with -sn as the preferred way to do ping scans, while skipping port scanning, just like the comments indicate:

Previously the -PN and -sP options were recommended. This establishes a more regular syntax for some options that disable phases of a scan:

-n no reverse DNS

-Pn no host discovery

-sn no port scan

Best Answer

Related Solutions

NMAP: Check if port 80 and 8080 is open

Nmap find all alive hostnames and IPs in LAN

Related Topic