is it possible to get the MAC address for machine using nmap

S

11

46

I have a list of remote machines in a text files. Can I know their MAC addresses using nmap ?

Shiller answered 3/11, 2012 at 18:28 Comment(2)

It may help you: #10634253 Please, read anserver. – Satem 3/11, 2012 at 18:30

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. – Scandinavia 20/6, 2017 at 17:32

S

75

If you're using nmap, MAC addresses are only available if you're on the same network segment as the target. Newer versions of nmap will only show the MAC address to you if you're running as root.

i.e.:

sudo nmap -sP -n 192.168.0.0/24

Sculpture answered 4/1, 2013 at 21:44 Comment(4)

Just to clarify: you don't need to use any specific option. If you run nmap as root (e.g. with sudo), it already gives MAC addresses, if it can (you need to be on same subnet of your targets). – Condyloma 25/9, 2014 at 13:0

This attempt did not answer the question. nmap -sP does not show the MAC address. – Parisparish 5/1, 2019 at 17:1

it does not work on windows.. no mac return – Gubernatorial 8/6, 2021 at 13:2

Note that this does not show any mac address if you are scanning an address belonging to an interface of your own computer, it is a trap if you are not paying attention – Haeres 9/7, 2021 at 15:2

J

23

Use snmp-interfaces.nse nmap script (written in lua) to get the MAC address of remote machine like this:

nmap -sU -p 161 -T4 -d -v -n -Pn --script snmp-interfaces 80.234.33.182

Completed NSE at 13:25, 2.69s elapsed
Nmap scan report for 80.234.33.182
Host is up, received user-set (0.078s latency).
Scanned at 2014-08-22 13:25:29 Арабское время (зима) for 3s
PORT    STATE SERVICE REASON
161/udp open  snmp    udp-response
| snmp-interfaces: 
|   eth
|     MAC address: 00:50:60:03:81:c9 (Tandberg Telecom AS)
|     Type: ethernetCsmacd  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 1.27 Gb sent, 53.91 Mb received
|   lo
|     Type: softwareLoopback  Speed: 0 Kbps
|     Status: up
|_    Traffic stats: 4.10 Kb sent, 4.10 Kb received

Jan answered 22/8, 2014 at 9:30 Comment(2)

This worked for me, thanks a lot. Running: - Mac OS 10.11 - nmap installed using brew I was able to find the mac address of a linux box remotely. – Dreamworld 21/10, 2015 at 15:59

-sU is UDP -p snmp port --script snmp-interfaces Only this works fine to me. – Pastorship 24/5, 2019 at 13:12

H

17

In current releases of nmap you can use:

sudo nmap -sn 192.168.0.*

This will print the MAC addresses of all available hosts. Of course provide your own network, subnet and host id's.

Further explanation can be found here.

Heterolecithal answered 29/11, 2016 at 14:53 Comment(3)

sudo is important. Without sudo, you won't get the MAC address output line. – Anisaanise 9/7, 2017 at 22:40

it does not work on windows.. no mac return – Gubernatorial 8/6, 2021 at 13:2

Doesn't work on my Ubuntu 20 LTS - Nmap version 7.80 – Avaavadavat 10/9, 2021 at 19:8

Q

5

if $ ping -c 1 192.168.x.x

returns

1 packets transmitted, 1 received, 0% packet loss, time ###ms

then you could possibly return the MAC address with arping, but ARP only works on your local network, not across the internet.

$ arping -c 1 192.168.x.x

ARPING 192.168.x.x from 192.168.x.x wlan0
Unicast reply from 192.168.x.x [AA:BB:CC:##:##:##]  192.772ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

finally you could use the AA:BB:CC with the colons removed to identify a device from its vendor ID, for example.

$ grep -i '709E29' /usr/local/share/nmap/nmap-mac-prefixes 
709E29 Sony Interactive Entertainment

Quiddity answered 12/1, 2017 at 16:33 Comment(0)

P

4

Some scripts give you what you're looking for. If the nodes are running Samba or Windows, nbstat.nse will show you the MAC address and vendor.

sudo nmap -sU -script=nbstat.nse -p137 --open 172.192.10.0/23 -oX 172.192.10.0.xml | grep MAC * | awk -F";" {'print $4'}

Pierian answered 9/1, 2014 at 18:45 Comment(1)

This answer was a God sent for identifying a rogue VPN client. THANKS!!! But you don't need the xml output, grep, or awk. – Territerrible 24/9, 2014 at 10:27

L

4

nmap can discover the MAC address of a remote target only if

the target is on the same link as the machine nmap runs on, or
the target leaks this information through SNMP, NetBIOS etc.

Another possibility comes with IPv6 if the target uses EUI-64 identifiers, then the MAC address can be deduced from the IP address.

Apart from the above possibilities, there is no reliable way to obtain the MAC address of a remote target with network scanning techniques.

Lowell answered 29/8, 2014 at 11:36 Comment(0)

F

3

Yes, remember using root account.

=======================================

qq@peliosis:~$ sudo nmap -sP -n xxx.xxx.xxx

Starting Nmap 6.00 ( http://nmap.org ) at 2016-06-24 16:45 CST

Nmap scan report for xxx.xxx.xxx

Host is up (0.0014s latency).

MAC Address: 00:13:D4:0F:F0:C1 (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Fiske answered 24/6, 2016 at 8:48 Comment(1)

-sP is now known as -sn ("no port scan", ie. just do ping scan) – Pathetic 15/5, 2018 at 23:30

S

3

I'm not cool enough to be able to comment on a post. so I guess I need to make a new post. However the above recommendation of "sudo nmap -sn 192.168.0.0/24" is the best quickest method to get the all the MACs for the IPs on your local network/vlan/subnet What the OP doesnt mention, is the only way to get the MAC address this way, you MUST use sudo(or other super user privs i.e. windows admin) the command nmap -sn 192.168.0.0/24 will discover hosts on your network, however will not return the MACs as you are not in SU mode of operation.

Satterfield answered 9/1, 2017 at 19:17 Comment(0)

O

1

With the recent version of nmap 6.40, it will automatically show you the MAC address. example:

nmap 192.168.0.1-255

this command will scan your network from 192.168.0.1 to 255 and will display the hosts with their MAC address on your network.

in case you want to display the mac address for a single client, use this command make sure you are on root or use "sudo"

sudo nmap -Pn 192.168.0.1

this command will display the host MAC address and the open ports.

hope that is helpful.

Oligocene answered 23/7, 2014 at 11:56 Comment(0)

C

1

Just the standard scan will return the MAC.

nmap -sS target

Centurial answered 28/8, 2014 at 23:47 Comment(5)

Only if the target is on the same link. – Lowell 29/8, 2014 at 11:31

what do you mean same link? Same subnet? – Centurial 29/8, 2014 at 12:8

Yes. The terms link, subnet, LAN, network segment, and broadcast domain all mean the same. – Lowell 29/8, 2014 at 13:23

@Lowell if you say so :) – Centurial 29/8, 2014 at 16:14

it does not work on windows.. no mac return – Gubernatorial 8/6, 2021 at 13:1

D

1

Not using nmap... but this is an alternative...

arp -n|grep -i B0:D3:93|awk '{print $1}'

During answered 14/8, 2015 at 15:29 Comment(1)

Wow so simple and so effective – Avaavadavat 10/9, 2021 at 19:21

Recommended topics

Hot tags