Jump to content

Nmap help


dwj300
 Share

Recommended Posts

Is there any reason you need it doing in nmap? If you just want the MAC address make a connection to the IP in some way then look in your ARP table

$ ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=0.172 ms
^C
--- 192.168.0.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
$ arp -a
xxx (192.168.0.8) at 00:30:1b:40:xx:xx [ether] on eth0

Link to comment
Share on other sites

Is there any reason you need it doing in nmap? If you just want the MAC address make a connection to the IP in some way then look in your ARP table

$ ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=0.172 ms
^C
--- 192.168.0.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
$ arp -a
xxx (192.168.0.8) at 00:30:1b:40:xx:xx [ether] on eth0

I believe what he wants is what if you don't know the IP address but you know the MAC address? I was trying to figure this out a couple weeks on a device that had "no interface". I'm still looking for something like an Arp ping. Ping the MAC and get the ip back.

Link to comment
Share on other sites

Sorry, got it the wrong way round.

So, we have a device where we know the MAC address but not the IP, is the device sending traffic? If so then sniff the wire and look for ARP messages, if it isn't sending traffic then is it possible? I'll have a think.

Link to comment
Share on other sites

ARP will get you the addresses of devices on the local lan segment if you have spoken to or discovered them either by communicating with them or pinging their IP, but ARP deals with MAC addresses, and will not leave the local lan segment. You won't be able to arp past the router or gateway to the internet, for example. If its a device on the local lan, log onto the router and you should have a table of connected devices, their MAC address and the IP assigned to each of them. ARP -a is only going to show what you are connected to, so while a ping might work, you would 1, have to ping all IP addresses in your network mask, and 2 the machine would have to not disable ICMP echo requests. Otherwise, other methods would be needed to "make them talk" so to speak. My firewall blocks pings, and I don't even show up in my routers table because I manually assign an address to my pc, and not use the routers dhcp. If someone on my lan were to try to send me something, the router would then discover me and add me to its table. My router only shows devices connected via DHCP, but most other routers do that in addition to any connected device. If you are trying to identify a device outside your lan segment, you would have to use the IP address, not the MAC to be able to direct traffic to it.

edit: Also, if you are on windows, CAIN is pretty good at discovering device IP and MAC addresses via its various bit scans

Link to comment
Share on other sites

That is a ping sweep of the XXX.XX.XX.X/X (ip/netmask) subdomain, basically ping everyone then you have a look at the arp table to see who has replied and tie their IP to MAC. You can do the same with

ping -b x.x.x.x/y

then

arp -a |grep <your MAC address>

The logic behind all this is to get the NIC to respond at the network layer. To do this it needs to do some work with ARPs and so your machine will find and cache its MAC address. You can then manually do a look up between the MAC you have and the IP you want.

Link to comment
Share on other sites

nmap -sP XXX.XX.XX.X/X > aFile.txt

then search the file for the MAC address

Just a quick addition to this, on my machine you need to be root to get the MAC addresses to show up in the nmap output. A normal user only gets if the host is up or not, root gets the MAC address and the OUI manufacturer name.

Not sure if this is standard or not though.

Link to comment
Share on other sites

make sure you run sudo nmap -sP 192.168.1.0/24 > aFile if you are running it on linux. It display the MAC address if you are not running as a super user/root.

edit: digininja and i came to the same conclusion at the roughly the same time. spot-on!

Link to comment
Share on other sites

I wonder why that is. Showing the MAC address in the results isn't something that should only be restricted to root, it is publicly available info through the arp command.

There's also a chance that if you pinged the network's broadcast address all machines on the network would respond. But this may not work due to network equipment configuration. Then you could check your arp table for the mac. I'm still trying to find a way to do this also.

Link to comment
Share on other sites

That is a ping sweep of the XXX.XX.XX.X/X (ip/netmask) subdomain, basically ping everyone then you have a look at the arp table to see who has replied and tie their IP to MAC. You can do the same with

ping -b x.x.x.x/y

then

arp -a |grep <your MAC address>

The logic behind all this is to get the NIC to respond at the network layer. To do this it needs to do some work with ARPs and so your machine will find and cache its MAC address. You can then manually do a look up between the MAC you have and the IP you want.

Sorry, just realised, the ping command should have been

ping -b x.x.x.255

Link to comment
Share on other sites

Is he using linux? Because ping -b is not an option for windows users. Also, you can't ping the whole subnet in windows by default(xx.xx.xx/24, etc), thats why you use nmap to do it instead.

"nmap -PN xx.xx.xx.xx/24" where xx is the network id and 24 is the default subnet mask (255.255.255.0). Change acordingly. And this is only if the device replies will it show up.

Link to comment
Share on other sites

Is he using linux? Because ping -b is not an option for windows users. Also, you can't ping the whole subnet in windows by default(xx.xx.xx/24, etc), thats why you use nmap to do it instead.

"nmap -PN xx.xx.xx.xx/24" where xx is the network id and 24 is the default subnet mask (255.255.255.0). Change acordingly. And this is only if the device replies will it show up.

nmap -PN assumes that all hosts are online and will preform a port scan on each host. The question is, given a MAC address, how does one find the IP address. nmap -PN won't be very useful for this.

Link to comment
Share on other sites

nmap -PN assumes that all hosts are online and will preform a port scan on each host. The question is, given a MAC address, how does one find the IP address. nmap -PN won't be very useful for this.

I do that because some machines do not reply to the ICMP reply, but if say a port is open, you get its IP address and MAC address returned in the scan.

Link to comment
Share on other sites

I do that because some machines do not reply to the ICMP reply, but if say a port is open, you get its IP address and MAC address returned in the scan.

I agree, I always do -PN. Hell, McAffee firewall even blocks responding to ICMP request and it's terrible.

Link to comment
Share on other sites

I agree, I always do -PN. Hell, McAffee firewall even blocks responding to ICMP request and it's terrible.

Thank you...

I think -PN is a SYN Stealth scan also.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...