18

Is there a way to scan for free IPs on the network? I use nmap -sP 192.168.1.0/24 but this actually shows hosts that are up.

HTF
  • 3,050
  • 14
  • 49
  • 78
  • 10
    doesn't respond to ping doesn't necessarily mean unused. – Grant Apr 04 '14 at 13:34
  • 1
    You want an IPAM scanner, not nmap. – TheCleaner Apr 04 '14 at 13:39
  • 2
    @Grant Nmap's host discovery scan (sometimes called "ping scan") sends lots of different probes, not just ICMP Echo Requests. For addresses on the same data link, it uses ARP requests, which are basically impossible to ignore. – bonsaiviking Apr 04 '14 at 13:59
  • 1
    You should also remember that hosts that are not powered on will also show up as not having an IP address. – Tero Kilkanen Apr 04 '14 at 14:07

4 Answers4

31

Using Nmap like this is a fairly accurate way of doing what you asked, provided that some preconditions are true:

  1. You must run the scan as root (or Administrator on Windows) in order to send ARP requests, not TCP connections. Otherwise the scan may report an address as "down" when it is simply firewalled.
  2. You can only do this from a system on the same data link (layer 2) as the address range you are scanning. Otherwise, Nmap will need to use network-layer probes which can be blocked by a firewall.

In order to get the "available" addresses, you need to get the list of addresses that Nmap reports as "down." You can do this with a simple awk command:

sudo nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'

Summary of Nmap options used:

  • When you use the -v option, Nmap will print the addresses it finds as "down" in addition to the ones that are "up".
  • Instead of -sP, I've substituted the newer spelling -sn, which still accomplishes the same scan, but means "skip the port scan" instead of the misleading "Ping scan" (since the host discovery phase does not necessarily mean an ICMP Echo scan or Ping).
  • The -n option skips reverse DNS lookups, which buys you a bit of time, since you aren't interested in names but just IP addresses.
  • The -oG option tells Nmap to output grepable format, which is easier for awk to process. The argument "-" tells it to send this output to stdout.

The awk command then searches for "Status: Down" and prints the second field, containing the IP address.

Of course, if you have access to the switch's running configs or the DHCP server's leases, you could get this answer much more authoritatively without doing a scan that could set off security alarms.

bonsaiviking
  • 4,355
  • 16
  • 26
1

Not sure about n-map, but one could reasonably assume that if you write a ping script that sends 1 ping to each address that any hosts that come back with "destination unreachable" is unoccupied, and anything that comes back "request time out" is occupied but not responding to ping. The difference between the two responses is that "destination unreachable" did not receive a response to its ARP request. "Request time out" means something did respond to the ARP request, but not the ICMP packet.

MartinC
  • 345
  • 1
  • 3
  • 11
1

Here is another one inspired by Anders Larsson

for ip in 172.18.5.{129..254}; do { ping -c 1 -W 1 $ip ; } &> /dev/null || echo $ip & done | sort

Which it means: "Try to ping all the Ips in the range. If the "ping" fails print that IP"

If you do

nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'

Works fast, but I noticed some hosts reported as "Down" are actually "Up"

Radu Gabriel
  • 111
  • 2
  • I have tried your code and it works fine. Could you please explain the behavior in backgrounnd (&) of the code {ping -c 1 -W 1 $ ip; } &> / dev / null || echo $ ip &. I know that & runs the code in the background, but I don't understand how it works in your code. Can you point me a link where to find documentation on the use you have made of &? – famedoro Sep 22 '21 at 07:41
  • It is basically parallel computing in bash. For each IP address, tries to ping it. It creates a new process for each command `ping -c 1 -W 1 $ip ` , if the ping fails means that IP does not exist. Here is a good guide: http://mywiki.wooledge.org/ProcessManagement#I_want_to_process_a_bunch_of_files_in_parallel.2C_and_when_one_finishes.2C_I_want_to_start_the_next._And_I_want_to_make_sure_there_are_exactly_5_jobs_running_at_a_time. – Radu Gabriel Sep 22 '21 at 11:11
0

Here's the same thing in PowerShell....

((nmap -v -sn -n 10.208.2.0/24 -oG - ) -match "Status\:\sDown") | foreach {($_).Split(" ")[1]}
gsarnold
  • 11
  • 1