302

I am trying to find the live hosts on my network using nmap. I am scanning the network in Ubuntu using the command sudo nmap -sP 192.168.2.1/24. However, I am unable to find the live hosts. I just get the network address of my own PC as live. When I see the DHCP client list through my browser (my router can be accessed via browser using my network IP), I get around 10 live hosts on the network. Can anyone tell me the reason why this could be happening and how do I find the live hosts on my network?

d-cubed
  • 105
  • 5
TheRookierLearner
  • 4,222
  • 8
  • 24
  • 28
  • 17
    I usually do this `nmap -sn 192.168.2.0/24`, sn= disable port scan. – HamZa May 19 '13 at 20:21
  • 6
    @HamZaDzCyberDeV Yes, `-sn` is the new standard argument, but it used to be `-sP`, so @TheRookierLearner's command should still work. – bonsaiviking May 20 '13 at 14:21
  • 2
    `-sn` is the same as `-sP`, as mentioned here: https://github.com/nmap/nmap/blob/master/docs/nmap.1#L402 – Ehtesh Choudhury Dec 18 '13 at 01:51
  • 1
    `nmap -PR 10.0.1.0/24 -sn` will perform an ARP sweep of the network. [NMAP's website](http://nmap.org/book/man-host-discovery.html) has detailed information on nmap host discovery. I highly recommend you use this as a reference. – Nadeem Douba Jun 01 '15 at 15:10
  • @NadeemDouba `nmap` will automatically detect when it's on a LAN and choose an ARP sweep for its probes. This will be the case even if the user specifies different probes types like `-PE` or `-PS`. In other words, the `-PR` is unnecessary if the OP is actually on the LAN. – wpcarro Oct 06 '16 at 18:53
  • 1
    Just want to note that running nmap without `sudo` can give less results than expected, see https://security.stackexchange.com/q/74493/124138. – ks1322 Apr 05 '20 at 16:40

8 Answers8

317

This is the simplest way of performing host discovery with nmap.

nmap -sP 192.168.2.1/24

Why does it not work all the time ?

When this command runs nmap tries to ping the given IP address range to check if the hosts are alive. If ping fails it tries to send syn packets to port 80 (SYN scan). This is not hundred percent reliable because modern host based firewalls block ping and port 80. Windows firewall blocks ping by default. The hosts you have on the network are blocking ping and the port 80 is not accepting connections. Hence nmap assumes that the host is not up.

So is there a workaround to this problem?

Yes. One of the options that you have is using the -P0 flag which skips the host discovery process and tries to perform a port scan on all the IP addresses (In this case even vacant IP addresses will be scanned). Obviously this will take a large amount of time to complete the scan even if you are in a small (20-50 hosts) network. but it will give you the results.

The better option would be to specify custom ports for scanning. Nmap allows you to probe specific ports with SYN/UDP packets. It is generally recommended to probe commonly used ports e.g. TCP-22 (ssh) or TCP-3389 (windows remote desktop) or UDP-161 (SNMP).

sudo nmap -sP -PS22,3389 192.168.2.1/24 #custom TCP SYN scan
sudo nmap -sP -PU161 192.168.2.1/24 #custom UDP scan

N.B. even after specifying custom ports for scanning you may not get an active host. A lot depends on how the host is configured and which services it is using. So you just have keep probing with different combinations.Remember, do not performs scans on a network without proper authorization.

update: When scanning a network you can never be sure that a particular command will give you all the desired results. The approach should be to start with basic ping sweep and if it doesn't work try guessing the applications that may be running on the hosts and probe the corresponding ports. The idea of using Wireshark is also interesting. You may want to try sending ACK packets.

nmap -sP -PA21,22,25,3389 192.168.2.1/24 #21 is used by ftp

update two: The flags -sP and -P0 are now known as -sn and -Pn respectively. However the older flags are still found to be working in the newer versions.

Ohnana
  • 4,737
  • 2
  • 23
  • 39
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • Although I believe that this is due the firewall blocking the ping scans, the above commands didn't help. Even the -P0 flag didn't work. – TheRookierLearner May 19 '13 at 21:59
  • I really don't know what's happening but the command `nmap -sP -PS 192.168.2.1/24` is working (the above command is also working; so answer accepted) and that too under Windows. I don't know what's wrong with Ubuntu. May be I need to check the `iptables`. – TheRookierLearner May 20 '13 at 04:08
  • 10
    one thing that's worth noting is that when you're in the same broadcast domain as the hosts you're scanning, nmap uses ARP instead of ICMP/SYN scanning – Rory McCune May 20 '13 at 11:43
  • 3
    `-P0` does **not** "try to scan all the ports of a system to check if it is up." Instead, it **skips host discovery**, reporting *everything* as up, and performing whatever port scans you have requested on every IP. Also, as @RoryMcCune notes, Nmap should send ARP requests for this type of scan. Use `nmap --iflist` to check what Nmap thinks about your routing table; it's possible that it is confused and not sending the right probes. If you can't get an ARP reply from an IP, you can't send a TCP or UDP packet, either. – bonsaiviking May 20 '13 at 14:32
  • 1
    I guess what @Mayank-Sharma meant was not `-P0` but was `-PO` which sends a IGMP, ICMP and IP-in-IP packets and not scan all the ports. However, I'm not sure. – TheRookierLearner May 20 '13 at 18:26
  • My apologies. I made a mistake in framing the sentence. I have updated the answer as suggested by @bonsaiviking – Shurmajee May 21 '13 at 06:02
  • @TheRookierLearner This sort of confusion is why `-P0` was deprecated for `-Pn` to mean the same thing. – bonsaiviking May 21 '13 at 11:27
  • This answer has some errors... for example, this: `If ping fails it tries to send syn packets to port 80 (SYN scan)`. It doesn't work like one after the other, and also it sends an `ACK` not a `SYN`. These are *very different*, especially in terms of firewalls and IDS systems. – user1156544 Dec 08 '16 at 03:54
85

The easiest way to check this is to verify the ARP-tables after doing the ping sweep using nmap:

arp -a -n

This lists all hosts which responded to an ARP query, even the ones which filter ICMP.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • The results of this command will vary depending on the currently existing ARP entries. – AbsoluteƵERØ May 19 '13 at 21:33
  • This command gets me 5 records on my local network when I have 16 open nodes. – AbsoluteƵERØ May 19 '13 at 21:39
  • 1
    Did you do a ping sweep using nmap before checking your arp tables? If not, hosts might be missing. Every node in the network should at least answer to an ARP request when you generate traffic towards it doing the ping sweep. – Teun Vink May 19 '13 at 21:48
  • 1
    Devices like Tivo do not respond to pings. Devices like ipads, iphones, and ipods may not respond to a ping sweep if their screens are locked. Additionally devices running something other than TCP/IP will not respond to a ping sweep. Wireshark will still show the traffic (like IPX). Additionally different subnets will also show. – AbsoluteƵERØ May 19 '13 at 22:27
  • Try using Cain and Able on Windows and use the ARP tools there... – NULLZ May 19 '13 at 22:50
  • @AbsoluteƵERØ Even if the devices don't respond to the actual ping sweep, if they're on the same LAN as the nmapping device, they should respond to the initial arp request. – lil_cain May 20 '13 at 00:25
  • 1
    Nmap already uses this method for "ping" sweeps of broadcast-local network segment. Run with root privilege and use `-v` for verbose output, and you will see "Initiating ARP Ping Scan". http://nmap.org/book/man-host-discovery.html – bonsaiviking May 20 '13 at 14:35
  • 1
    If you have a device that doesn't respond to an arp request, you're simply out of luck. The only way to detect a device that doesn't respond to arp request, is to listen on traffic on the gateway. – sk0yern May 20 '13 at 15:21
26

Wireshark is cool too.

You might want to check out Wireshark. It logs all of the traffic on the local network. It will tell you which nodes are broadcasting. You can also see what is being transmitted. It's available in the Ubuntu Software Center.

Additionally here's a link about installing Wireshark on Ubuntu via command line.

In regard to the traffic that shows in your DHCP routing tables remember that a lot of Virtual Machines will show up as separate machines in the list. Anything that's connected to your network usually within the default 24 hour lease time (for most WiFi Routers) will still show in the list. You might want to check for the duration of the leases in the router. It might tell you if someone's on your network overnight. On some devices that have dual NICs or a NIC and a Wireless Card they'll show up twice if both interfaces are enabled.

Other things that a lot of people forget about being on the network:

  • Managed Switches
  • Some printers
  • Server remote management cards
  • Cell Phones
  • Tivo and other DVRs
  • Apple TVs
  • Some Televisions
  • DVD players
  • Network A/V Receivers
  • Playstations, XBox, Etc.
  • Portable Gaming devices
  • Ipads and other tablets
  • Ipods and music players
  • PDAs
  • IP Phones like Magic Jack Plus

About 6 years ago at the office I was working in our little 3mb connection was down to 128k because of all of the excess traffic. The owners wanted to know if it was possible to see what was going on. The old part time IT guy shrugged his shoulders because not all of the traffic was going through their Windows 2000 server. He checked the routing tables and traffic logs in the server and saw nothing. They weren't using a router strangely enough, so anything on the network could get an address from the modem. The routing tables he looked at in the server were only for static mappings that existed a couple of years prior. I noticed they weren't on the same subnet. Then I showed them DHCP wasn't on in the server.

I found all of the traffic coming in after hours on an overnight sweep with Wireshark. One of my coworkers was unknowingly hosting a Japanese sex site on his machine. The attackers had rooted his machine after he installed a backdoor which came along with a cracked version of a high-end video editing software. We also found out they were running Tor, demonoid, and bitTorrent on various machines in different departments at different times. Wireshark found everything. Next day internet was up to full speed... we also installed a router.

If you're not up for Wireshark you might also want to try tcpdump.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
  • 5
    Although I certainly agree wireshark is an awesome tool, it's far from the best choice to solve this case, especially if there's a substantial amount of traffic it's hard to find all unique hosts. – Teun Vink May 19 '13 at 21:14
  • 2
    @TeunVink A note on finding unique hosts. http://ask.wireshark.org/questions/4827/determining-unique-mac-and-ip-addresses-in-a-pcap – AbsoluteƵERØ May 19 '13 at 21:37
  • @AbsoluteƵERØ - That was a very valuable input indeed. I actually used Wireshark to check if the packets that nmap was trying to send were reaching the network or being blocked by the Windows Firewall. Turns out they weren't being blocked on Windows. I've to try on Ubuntu though. – TheRookierLearner May 20 '13 at 18:30
  • 1
    → Teun: `wireshark` might seem a heavy tool at first glance. But all in all, to get a complete network `audit` through `nmap` will also require **a lot** of runs: with different ports, at different times of the day, with different protocols… – dan Aug 28 '14 at 15:34
  • 1
    can i get a link to this japanese sex site, for research purposes? –  Apr 19 '20 at 14:12
11

This bash script will output the IP addresses of all the live hosts on a network.

#!/bin/bash

nmap $1 -n -sP | grep report | awk '{print $5}'

Example Usage

rwilson@rwilson-Aspire-E5-521:~/Scripts/Utils$ 
Mon Jul 27 06:41 AM> ./livehosts.sh 192.168.1.1/24
192.168.1.1
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.15
192.168.1.118
192.168.1.122
192.168.1.123
192.168.1.126
192.168.1.129
192.168.1.133
192.168.1.134
192.168.1.156
192.168.1.159
192.168.1.168
192.168.1.170
Ricky Wilson
  • 235
  • 3
  • 5
  • 9
    How is this different from what the OP already did? It looks like all you've done is add grep and awk to simplify the output. – schroeder Jul 27 '15 at 15:53
  • 1
    And it's usually not necessary to pipe `grep` into `awk` since `awk` can do that by itself: `nmap $1 -n -sP | awk '/report/ {print $5}'` – Dennis Williamson Feb 18 '21 at 00:46
4

Once you have administrator privileges (i.e., root), you can use netdiscover(8) with -r flag to specify different class and mask. It uses network class C /24 by default.

For example:

$ sudo netdiscover -r 172.16.17.0/24

The output will be something like this:

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.16.17.1    00:50:56:c0:00:08      1      60  VMware, Inc.                                                                                    
 172.16.17.2    00:50:56:f9:b9:b6      1      60  VMware, Inc.                                                                                    
 172.16.17.254  00:50:56:fc:e4:76      1      60  VMware, Inc.                                                                                    
Ghedipunk
  • 5,766
  • 2
  • 23
  • 34
slayer
  • 402
  • 3
  • 14
3

Sometimes arp -a -n wont fetch the ip address. Performing nmap -sP 192.168.1.1/24 will retrieve live hosts and after that if you try arp again, it will show the live hosts. Thats how it worked for me in linux mint. But you can rely on nmap anyday.

PraveenMax
  • 131
  • 2
2

If you also need host fingerprinting and don't mind using a free but closed source tool then fing is another option:

sudo fing -r 1

Compared to nmap 192.168.1.1/24 -n -sP it is significantly faster and will also try to detect device manufacturers from the MAC addresses.

Disclaimer: I have no affiliation with the tool or the company making it, and I have no clue what other things (evil or not) the tool might be doing under the hood. I've used their mobile apps for finding IP's on my LAN and found it useful.

ccpizza
  • 291
  • 2
  • 8
1

Example for finding host on a network:

arp-scan 192.168.12.0/24   # if vlan tagged interface use -Q vlanid

etherape (GUI) show graphs of network activity.

Some other tools where mentioned above here too.

EdOverflow
  • 1,246
  • 8
  • 21
rocket
  • 11
  • 1
  • Based on my testing in LAN, `arp-scan` is faster than `netdiscover` and `nmap -sn` for host discovery –  Jun 06 '20 at 09:02