101

How can I issue a nmap command that shows me all the alive machines' IP addresses and corresponding hostname s in the LAN that I am connected? (if this can be done in another way/tool you surely are welcome to answer)

şaloma
  • 1,167
  • 2
  • 10
  • 9

11 Answers11

109

nmap versions lower than 5.30BETA1:

nmap -sP 192.168.1.*

newer nmap versions:

nmap -sn 192.168.1.*

This gives me hostnames along with IP adresses, and only pings the hosts to discover them. This will only give you the hostnames if you run it as root.

EDIT: As of Nmap 5.30BETA1 [2010-03-29] -sP has been replaced with -sn as the preferred way to do ping scans, while skipping port scanning, just like the comments indicate:

Previously the -PN and -sP options were recommended. This establishes a more regular syntax for some options that disable phases of a scan:

  • -n no reverse DNS
  • -Pn no host discovery
  • -sn no port scan
Cheesebaron
  • 1,231
  • 1
  • 8
  • 6
  • 7
    +1 with the caveat that this only returns machines which respond to ICMP. Any machine specifically blocking ICMP will not show up – Matt Simmons Jun 22 '10 at 20:59
  • 14
    @MattSimmons If nmap is run as `root` and the IPs are from local network (the server is member of the subnet), then ARP requests are sent. So it *will* detect any alive machines because nobody really blocks ARP packets. Oh, and with new `nmap` versions it's `-sn` (although `-sP` will work too). – Hubert Kario May 19 '12 at 22:24
  • 6
    I'm not getting any hostnames with this command. Suggestions? – daviesgeek Aug 15 '12 at 05:53
  • @daviesgeek Tried running it as root? – Cheesebaron Aug 15 '12 at 07:38
  • 6
    @Cheesebaron Ah. That's it. I would suggest adding that, as without it, it won't show the hostnames. – daviesgeek Aug 15 '12 at 17:19
  • For me, the `-sL` option suffices here instead of `-sP`. This simply lists the hosts in the network(s) given to `nmap` and does reverse-DNS lookups on each address so that hostnames can be shown as well. – GDP2 Nov 28 '16 at 23:38
9
nmap -sP 192.168.1.0/24

Note that name resolution is only as good as the reverse-dns population is. Also note that this won't get you systems which are firewalled against ping (which practically every windows workstation is by default).

If you are local to the systems (ie on the same subnet) you can do something like

for i in `seq 1 254` ; do arping -c 1 192.168.1.$i | grep reply ; done

...but weird things happen to me sometimes when I wrap arping up in a loop. Also you have to do the lookup yourself, with something like

dig +short -x $IP
David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
4

You can scan an entire subnet, can use wildcards also.

nmap 192.168.8.*

or

nmap 192.168.8.1/24
Jubal
  • 160
  • 6
4

NMAP will return the 'reverse-lookup' of the IP address in question, it can't return the forward lookup address. Or addresses in the case of Web Servers doing name-based virtual hosting. Nmap isn't the tool for this.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
2

nmap -sP 192.168.0.0/24 will output something like :

> nmap -sP 192.168.0.0/24

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2010-06-22 22:27 CEST
Host 192.168.0.0 appears to be up.
Host 192.168.0.1 appears to be up.
Host abcd.domain.tld (192.168.0.2) appears to be up.
Host def.domain.tld (192.168.0.3) appears to be up.
Host fdsf.domain.tld (192.168.0.4) appears to be up.
Host reht.domain.tld (192.168.0.5) appears to be up.
Host vcxbfd.domain.tld (192.168.0.6) appears to be up.
Host ezqs.domain.tld (192.168.0.7) appears to be up.
Host 192.168.0.8 appears to be up.
Host ilolio.domain.tld (192.168.0.9) appears to be up.
Host ipbd.domain.tld (192.168.0.10) appears to be up.
Host cdekf.domain.tld (192.168.0.11) appears to be up.
Host 192.168.0.12 appears to be up.
Host 192.168.0.13 appears to be up.
Host 192.168.0.14 appears to be up.
Host 192.168.0.15 appears to be up.
Host ainv.domain.tld (192.168.0.16) appears to be up.
Host 192.168.0.17 appears to be up.
Host 192.168.0.18 appears to be up.
Host wzdkz.domain.tld (192.168.0.19) appears to be up.
[…]
Nmap finished: 256 IP addresses (256 hosts up) scanned in 7.491 seconds
radius
  • 9,545
  • 23
  • 45
  • 1
    how can i learn the machine name? i get the hostnames as following: `dhcp-186-241.abc.dk dhcp-186-250.abc.dk ....` for example when i issue `hostname` on ubuntu terminal i get: `infestor-pc` but nmap shows my hostname as `dhcp-186-250.abc.dk`. is there a way to see the 'friendly' hostname? – şaloma Jun 22 '10 at 20:37
  • 1
    No the only way would be to register computers name into the DNS – radius Jun 22 '10 at 21:02
2

You can use the following command : 

nmap -v -A $IP
EviLiNsiDe
  • 61
  • 2
2

if this can be done in another way/tool you surely are welcome to answer

You can simply use arp command like this:

$ arp -a
alexandre-rousseau
  • 131
  • 3
0

Since there is no given IP for the LAN we could assume it is 192.168 but that's not always the case, so the first thing is to discover our IP address and our subnet mask.

use ifconfig for this and use regexp to clean the results

Now assuming your Ip is 192.168.0.100 and your mask is 255.255.255.0 then you can scan 1-254 like so

nmap -sn 192.168.0.1-254 
or 
nmap -sn 192.168.0.0/24

to see hostnames and MAC addresses also, then run this as root otherwise all the scans will run as a non-privileged user and all scans will have to do a TCP Connect (complete 3-way handshake) to get something. As root, you run Syn and don't have to finish the 3-way handshake.

This is basically what you need to answer your question and get what you wanted. There is a wealth of parameters but each serves a special purpose.

----edit

I've just noticed hostname. You can use a service discovery scan since it will execute several scripts(one of which is nbstat.nse) and will return hostnames. Don't expect to get the hostnames of all the machines that you scan.

nmap -sV target

or you can just run the specific nbstat.nse script and gain time and effort.

nmap -sU -p137 --script nbstat.nse target

nbstat.nse uses UDP port 137. In some cases you might also get the hostname from SNMP using the snmp-interfaces script but that will require UDP port 161 to be open.

nmap -sU -p161 --script snmp-interfaces.nse target
nassim
  • 111
  • 4
0

Best and Fastest way to ping all Ips in Local Net is by disabling DNS reverse Resolution

Use :
NMAP -sn 192.168.1.1-255

this will scan all 255 hosts in IP range 192.168.1.1 - 192.168.1.255

If you want a easily parse-able file

Use :
NMAP -sn -oG Name.txt 192.168.1.1-255

squillman
  • 37,618
  • 10
  • 90
  • 145
spetzz
  • 1
-1

I think you should run this: 

sudo nmap -sU --script nbstat.nse -p137 10.10.10.*
user9517
  • 114,104
  • 20
  • 206
  • 289
sipcents
  • 9
  • This doesn't add anything over the existing answers, and moreover will only find Windows hosts with sharing enabled. Certainly more specific than the OP wanted. – Scott Pack Oct 24 '12 at 14:40
  • Will still work with Network Sharing disabled. Only requires Network Discovery be enabled, which is the default for Private networks. – John Homer Sep 10 '14 at 13:55
-1

Try this : Example IP Range : 10.1.0.0 - 10.1.255.255

nmap -sV -T4 -O 10.1.*.*
Elshan
  • 99
  • 6