Nmap help

[dwj300]

I am new to nmap and I was wondering if it was possible to specify a mac address and receive the corresponding IP address. Thanks in advance!

[digininja]

Is there any reason you need it doing in nmap? If you just want the MAC address make a connection to the IP in some way then look in your ARP table

$ ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=0.172 ms
^C
--- 192.168.0.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
$ arp -a
xxx (192.168.0.8) at 00:30:1b:40:xx:xx [ether] on eth0

[beakmyn]

Is there any reason you need it doing in nmap? If you just want the MAC address make a connection to the IP in some way then look in your ARP table

$ ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=0.172 ms
^C
--- 192.168.0.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
$ arp -a
xxx (192.168.0.8) at 00:30:1b:40:xx:xx [ether] on eth0

I believe what he wants is what if you don't know the IP address but you know the MAC address? I was trying to figure this out a couple weeks on a device that had "no interface". I'm still looking for something like an Arp ping. Ping the MAC and get the ip back.

[digininja]

Sorry, got it the wrong way round.

So, we have a device where we know the MAC address but not the IP, is the device sending traffic? If so then sniff the wire and look for ARP messages, if it isn't sending traffic then is it possible? I'll have a think.

[digip]

ARP will get you the addresses of devices on the local lan segment if you have spoken to or discovered them either by communicating with them or pinging their IP, but ARP deals with MAC addresses, and will not leave the local lan segment. You won't be able to arp past the router or gateway to the internet, for example. If its a device on the local lan, log onto the router and you should have a table of connected devices, their MAC address and the IP assigned to each of them. ARP -a is only going to show what you are connected to, so while a ping might work, you would 1, have to ping all IP addresses in your network mask, and 2 the machine would have to not disable ICMP echo requests. Otherwise, other methods would be needed to "make them talk" so to speak. My firewall blocks pings, and I don't even show up in my routers table because I manually assign an address to my pc, and not use the routers dhcp. If someone on my lan were to try to send me something, the router would then discover me and add me to its table. My router only shows devices connected via DHCP, but most other routers do that in addition to any connected device. If you are trying to identify a device outside your lan segment, you would have to use the IP address, not the MAC to be able to direct traffic to it.

edit: Also, if you are on windows, CAIN is pretty good at discovering device IP and MAC addresses via its various bit scans

[SWFu]

Is the mac address a wireless AP by any chance? You won't be able to scan it untill you have connected it.

If its already on your network you could scan the ranges till you find it.

[taiyed14]

nmap -sP XXX.XX.XX.X/X > aFile.txt

then search the file for the MAC address

[dwj300]

nmap -sP XXX.XX.XX.X/X > aFile.txt

then search the file for the MAC address

what is XXX.XX.XX.X/X?

thanks for the quick reply

[digininja]

That is a ping sweep of the XXX.XX.XX.X/X (ip/netmask) subdomain, basically ping everyone then you have a look at the arp table to see who has replied and tie their IP to MAC. You can do the same with

ping -b x.x.x.x/y

then

arp -a |grep <your MAC address>

The logic behind all this is to get the NIC to respond at the network layer. To do this it needs to do some work with ARPs and so your machine will find and cache its MAC address. You can then manually do a look up between the MAC you have and the IP you want.

[digininja]

nmap -sP XXX.XX.XX.X/X > aFile.txt

then search the file for the MAC address

Just a quick addition to this, on my machine you need to be root to get the MAC addresses to show up in the nmap output. A normal user only gets if the host is up or not, root gets the MAC address and the OUI manufacturer name.

Not sure if this is standard or not though.

[taiyed14]

make sure you run sudo nmap -sP 192.168.1.0/24 > aFile if you are running it on linux. It display the MAC address if you are not running as a super user/root.

edit: digininja and i came to the same conclusion at the roughly the same time. spot-on!

[digininja]

I wonder why that is. Showing the MAC address in the results isn't something that should only be restricted to root, it is publicly available info through the arp command.

[beakmyn]

I wonder why that is. Showing the MAC address in the results isn't something that should only be restricted to root, it is publicly available info through the arp command.

There's also a chance that if you pinged the network's broadcast address all machines on the network would respond. But this may not work due to network equipment configuration. Then you could check your arp table for the mac. I'm still trying to find a way to do this also.

[digininja]

That is a ping sweep of the XXX.XX.XX.X/X (ip/netmask) subdomain, basically ping everyone then you have a look at the arp table to see who has replied and tie their IP to MAC. You can do the same with

ping -b x.x.x.x/y

then

arp -a |grep <your MAC address>

The logic behind all this is to get the NIC to respond at the network layer. To do this it needs to do some work with ARPs and so your machine will find and cache its MAC address. You can then manually do a look up between the MAC you have and the IP you want.

Sorry, just realised, the ping command should have been

ping -b x.x.x.255

[digip]

Is he using linux? Because ping -b is not an option for windows users. Also, you can't ping the whole subnet in windows by default(xx.xx.xx/24, etc), thats why you use nmap to do it instead.

"nmap -PN xx.xx.xx.xx/24" where xx is the network id and 24 is the default subnet mask (255.255.255.0). Change acordingly. And this is only if the device replies will it show up.

[taiyed14]

Is he using linux? Because ping -b is not an option for windows users. Also, you can't ping the whole subnet in windows by default(xx.xx.xx/24, etc), thats why you use nmap to do it instead.

"nmap -PN xx.xx.xx.xx/24" where xx is the network id and 24 is the default subnet mask (255.255.255.0). Change acordingly. And this is only if the device replies will it show up.

nmap -PN assumes that all hosts are online and will preform a port scan on each host. The question is, given a MAC address, how does one find the IP address. nmap -PN won't be very useful for this.

[digip]

nmap -PN assumes that all hosts are online and will preform a port scan on each host. The question is, given a MAC address, how does one find the IP address. nmap -PN won't be very useful for this.

I do that because some machines do not reply to the ICMP reply, but if say a port is open, you get its IP address and MAC address returned in the scan.

[dr0p]

I do that because some machines do not reply to the ICMP reply, but if say a port is open, you get its IP address and MAC address returned in the scan.

I agree, I always do -PN. Hell, McAffee firewall even blocks responding to ICMP request and it's terrible.

[digip]

I agree, I always do -PN. Hell, McAffee firewall even blocks responding to ICMP request and it's terrible.

Thank you...

I think -PN is a SYN Stealth scan also.