When I used
nmap -sP IP/24 -v,
nmap scanned for around 5 minutes. Then it reported that all 256 hosts are up.
But when I used
nmap -sP * .* .*.253 -v
it said the host wasn't up.
What's going on here?
You can use nmap -sO -v IP/24.
-sO means IP protocol scan.
You can also see which machines are open in this scan.
I'm sure it's something simple but I can't figure it it. I have an nmap command like the following, because I want to test the tool with my website
nmap -p80 --system-dns --script http-wordpress-plugins.nse legault.cc
The output is the following
Starting Nmap 7.11 ( https://nmap.org ) at 2016-03-24 20:42 Eastern Daylight Time
Nmap scan report for legault.cc (192.254.232.221)
Host is up (0.092s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds
It seems to me that the script should run, because the port is open, Wordpress is installed correclt and the login page is at /wp-login.php
Advice would be greatly appreciated!
The http-wordpress-plugins script was renamed to http-wordpress-enum in version 6.49. If you still have the old script, it may not work the same with the current version of Nmap. The new version works for me with that target. You can use the -d option to see debugging output from the script that may be helpful.
I need to discover the port 161 both UDP and TCP in big networks. And the results must have the output I chose below.
In order to discover TCP I use
nmap -T4 -sS -p T:161 -iL c:\input.txt -oN c:\output.txt --append-output –open
In order to discover UDP I use
nmap -T4 -sU -p 161 -iL c:\input.txt -oN c:\output.txt --append-output –open
I am looking for a command that will combine both of them. I need a list of both TCP and UPD results in one command, one result.
Is it possible? How?
Nmap allows you to combine scan types into a single scan, as long as you don't choose scan types that target the same protocols (e.g. -sST, which would request a TCP SYN and TCP Connect scan, an illegal combination). So your combined scan would be:
nmap -T4 -sSU -p 161 -iL c:\input.txt -oN c:\output.txt --append-output -–open
Unrelated note: If you have the disk space, I would highly recommend switching the -oN option for -oA or just adding -oX to get XML output. Lots of security tools can process this structured output and produce meaningful results. Plus, you don't have to worry when Nmap's screen output changes (which it does fairly regularly) and breaks your parsing scripts, since the XML is a much more stable and naturally extensible format.
I just installed nmap (never used it before). I want to see which machine on the network is listening to port 1234. How can I do that using the GUI of nmap.
nmap -v -A -p 1234 192.168.1.1-255 This command will scan your entire subnet
The officially supported (and included!) GUI for Nmap is Zenmap. It uses Profiles to choose common options, but the command line is clearly editable, as well. To get started, choose the Regular Scan profile, which removes the extra timing and scan mode arguments. Then, enter your target in the Target box. To scan a local network, you can use CIDR notation (e.g. 10.10.0.0/16) or octet ranges (e.g. 10.10.0-255.0-255).
To scan just one port, use the -p option with the port number. It is usually helpful to specify verbose output, too, with -v. Altogether, your command line will look something like this:
nmap -p 1234 -v 10.10.10.0/24
Then click the Scan button to begin scanning.
This worked for me
nmap -p 1234 -A -v 10.10.*.*
I have a list of remote machines in a text files. Can I know their MAC addresses using nmap ?
If you're using nmap, MAC addresses are only available if you're on the same network segment as the target. Newer versions of nmap will only show the MAC address to you if you're running as root.
i.e.:
sudo nmap -sP -n 192.168.0.0/24
Use snmp-interfaces.nse nmap script (written in lua) to get the MAC address of remote machine like this:
nmap -sU -p 161 -T4 -d -v -n -Pn --script snmp-interfaces 80.234.33.182
Completed NSE at 13:25, 2.69s elapsed
Nmap scan report for 80.234.33.182
Host is up, received user-set (0.078s latency).
Scanned at 2014-08-22 13:25:29 Арабское время (зима) for 3s
PORT STATE SERVICE REASON
161/udp open snmp udp-response
| snmp-interfaces:
| eth
| MAC address: 00:50:60:03:81:c9 (Tandberg Telecom AS)
| Type: ethernetCsmacd Speed: 10 Mbps
| Status: up
| Traffic stats: 1.27 Gb sent, 53.91 Mb received
| lo
| Type: softwareLoopback Speed: 0 Kbps
| Status: up
|_ Traffic stats: 4.10 Kb sent, 4.10 Kb received
In current releases of nmap you can use:
sudo nmap -sn 192.168.0.*
This will print the MAC addresses of all available hosts. Of course provide your own network, subnet and host id's.
Further explanation can be found here.
Some scripts give you what you're looking for. If the nodes are running Samba or Windows, nbstat.nse will show you the MAC address and vendor.
sudo nmap -sU -script=nbstat.nse -p137 --open 172.192.10.0/23 -oX 172.192.10.0.xml | grep MAC * | awk -F";" {'print $4'}
if $ ping -c 1 192.168.x.x
returns
1 packets transmitted, 1 received, 0% packet loss, time ###ms
then you could possibly return the MAC address with arping, but ARP only works on your local network, not across the internet.
$ arping -c 1 192.168.x.x
ARPING 192.168.x.x from 192.168.x.x wlan0
Unicast reply from 192.168.x.x [AA:BB:CC:##:##:##] 192.772ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
finally you could use the AA:BB:CC with the colons removed to identify a device from its vendor ID, for example.
$ grep -i '709E29' /usr/local/share/nmap/nmap-mac-prefixes
709E29 Sony Interactive Entertainment
nmap can discover the MAC address of a remote target only if
the target is on the same link as the machine nmap runs on, or
the target leaks this information through SNMP, NetBIOS etc.
Another possibility comes with IPv6 if the target uses EUI-64 identifiers, then the MAC address can be deduced from the IP address.
Apart from the above possibilities, there is no reliable way to obtain the MAC address of a remote target with network scanning techniques.
Yes, remember using root account.
=======================================
qq#peliosis:~$ sudo nmap -sP -n xxx.xxx.xxx
Starting Nmap 6.00 ( http://nmap.org ) at 2016-06-24 16:45 CST
Nmap scan report for xxx.xxx.xxx
Host is up (0.0014s latency).
MAC Address: 00:13:D4:0F:F0:C1 (Asustek Computer)
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
I'm not cool enough to be able to comment on a post.
so I guess I need to make a new post.
However the above recommendation of
"sudo nmap -sn 192.168.0.0/24"
is the best quickest method to get the all the MACs for the IPs on your
local network/vlan/subnet
What the OP doesnt mention, is the only way to get the MAC address
this way, you MUST use sudo(or other super user privs i.e. windows admin)
the command
nmap -sn 192.168.0.0/24 will discover hosts on your network, however will not return the MACs as you are not in SU mode of operation.
Just the standard scan will return the MAC.
nmap -sS target
With the recent version of nmap 6.40, it will automatically show you the MAC address. example:
nmap 192.168.0.1-255
this command will scan your network from 192.168.0.1 to 255 and will display the hosts with their MAC address on your network.
in case you want to display the mac address for a single client, use this command make sure you are on root or use "sudo"
sudo nmap -Pn 192.168.0.1
this command will display the host MAC address and the open ports.
hope that is helpful.
Not using nmap... but this is an alternative...
arp -n|grep -i B0:D3:93|awk '{print $1}'