1

I notice that nmap -sn is no longer provide the MAC address for remote host as discussed in Can I use nmap to discover IPs and mac addresses?

I would like to get something like netdiscover output. Just IP & MAC Address only.

Nmap version 7.80

wolf@linux:~$ nmap -V
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu

e.g.

wolf@linux:~$ nmap -sn -oG - 10.10.10.*
# Nmap 7.80 scan initiated Wed May 20 12:38:57 2020 as: nmap -sn -oG - 10.10.10.*
Host: 10.10.10.1 () Status: Up
Host: 10.10.10.2 () Status: Up
Host: 10.10.10.3 () Status: Up
# Nmap done at Wed May 20 12:38:59 2020 -- 256 IP addresses (3 hosts up) scanned in 2.25 seconds
wolf@linux:~$
Wolf
  • 191
  • 3
  • 9

2 Answers2

1

For this, run nmap as root.

Note that the behavior of -sn will not be the same depending on whether you are root or not:

-sn (No port scan)

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP.

Source: nmap manual

Another indirect way of doing it would be to ping each host and then check your ARP table.

Kate
  • 453
  • 3
  • 7
1

1st of all, you won't be able to see MAC Address if -oG - being used (even with root/sudo).

user@linux:~$ sudo nmap -n -sn 10.10.10.* -oG -
# Nmap 7.60 scan initiated Sat May 29 12:10:09 2020 as: nmap -n -sn -oG - 10.10.10.*
Host: 10.10.10.1 () Status: Up
Host: 10.10.10.2 () Status: Up
Host: 10.10.10.3 () Status: Up
# Nmap done at Sat May 29 12:10:11 2020 -- 256 IP addresses (3 hosts up) scanned in 2.31 seconds
user@linux:~$

2nd, even after -oG - being removed, you still won't be able to see the MAC Address.

user@linux:~$ nmap -n -sn 10.10.10.*

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-29 12:11 +00
Nmap scan report for 10.10.10.1
Host is up (0.00086s latency).
Nmap scan report for 10.10.10.2
Host is up (0.0020s latency).
Nmap scan report for 10.10.10.3
Host is up (0.00082s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.71 seconds
user@linux:~$

Run it as root or with sudo so that nmap can send raw packets in order to get remote MAC 

user@linux:~$ sudo nmap -n -sn 10.10.10.*

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-29 12:11 +00
Nmap scan report for 10.10.10.2
Host is up (0.00022s latency).
MAC Address: AA:AA:AA:AA:AA:02 (NIC manufacturer here)
Nmap scan report for 10.10.10.1
Host is up (-0.100s latency).
MAC Address: AA:AA:AA:AA:AA:01 (NIC manufacturer here)
Nmap scan report for 10.10.10.3
Host is up (0.00061s latency).
MAC Address: AA:AA:AA:AA:AA:03 (NIC manufacturer here)
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.60 seconds
user@linux:~$
Sabrina
  • 190
  • 1
  • 2
  • 10