Login/Register
Nmap not retrieving MAC address and Vendor
Asked Answered
Solved macosnetworkingnmapauditing
O

3

7

I've found a strange behaviour in Nmap (I am using version 5.51 if that matters but I have the same issue with version 5.00), on some networks this plugin does not retrieve MAC address and, consequently, Vendor. The strange thing is that it retrieves almost everything like operating system and so on but it does not print the MAC address. How is that possible? This is the command I use usually:

nmap -A -O 192.168.1.0/24 -oX mynetwork.xml
Off answered 17/5, 2012 at 10:14 Comment(1)
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask.Bartholomeo
G
15

Nmap can only retrieve the MAC address if you are scanning hosts on the local subnet, directly reachable via layer 2 (ethernet or wifi). When you scan hosts across a router (default gateway), your scanning host will talk to the router on layer 2 when sending/receiving layer 3 packets, and thus, Nmap would only be able to see the router's MAC address, but not the destination host MAC address.

(While it is technically possible under some circumstances to determine the MAC address of a non-local host through protocols such NetBIOS, SNMP etc., and there are NSE scripts for that purpose, Nmap does not generally do that.)

Gourmandise answered 17/5, 2012 at 12:53 Comment(4)
Is there an Nmap script that does what you said in the last sentence? I mean I understand the layer problem but it seems weird that I can find the remote host OS and not his MAC address.Off
OS detection relies on layer 3 and layer 4 characteristics of a host, such as which options, initial values and flags the IP and TCP headers contain. As for scripts, see for example nmap.org/nsedoc/scripts/nbstat.htmlGourmandise
I was looking at the same script, in fact it worked and I retrieved the MAC address, too bad there must be netbios service running on the target host :(Off
it does not work on windows, scanning nmap host (self scanning)Shamrock
A
19

The MAC address is only displayed when the scan is run with root privilege, so be sure to use sudo. As a diagnostic step, try doing a simple ping sweep (sudo nmap -sn 192.168.1.0/24), then immediately check your ARP cache (arp -an). If you don't see a lot of <incomplete>s, then Nmap isn't scanning your subnet properly. If you see 256 <incomplete>, and no MAC addresses, then something is wrong with your network setup, since you aren't seeing ARP responses to the requests Nmap is generating.

Apparition answered 21/5, 2012 at 1:40 Comment(8)
I guess Daniel is right, I can't see a single <incomplete>, actually I already tryed before both arp and tcpdump with no luck. TCPDump confirms the hypothesis because it only sees the default gateway MAC address on ICMP packets.Off
Doing a simple ping sweep (using nmap -sn <network>) doesn't require root, so no sudo needed thereBeograd
Doing a simple ping sweep (using nmap -sn <network>) doesn't require root, so no sudo needed thereBeograd
@Beograd True, but the question was why MAC address is not shown. Part 1 of answer was: use sudo. Part 2 was: if that does not work, check arp cache to diagnose. It doesn't make sense to diagnose a different scan than the one that is having problems.Apparition
@Apparition I'm referring specifically to your sudo nmap -sn 192.168.1.0/24 command. The sudo is not required there to do a simple ping sweepBeograd
@Beograd True, it is not. But it is required to do an ARP ping sweep in such a way that Nmap is able to display MAC addresses. The user wants to see MAC addresses. The first suggestion is to use sudo, since Nmap cannot display MAC addresses without it. If that does not work, then performing the minimum amount of work (-sn and no other options) to test the ARP ping feature (requiring sudo) is the appropriate action. Not using sudo would give the user neither the MAC addresses nor any useful diagnostic information about the ARP scan.Apparition
When you are a privileged user, the ping sweep -sn , executes an ICMP echo, TCP ping with SYN and ACK and also an ICMP timestamp. When an unprivileged user scans, he only executes a TCP connect scan. That's one of the reasons -sn appears to fall short at times.Minneapolis
it does not work on windows, scanning nmap host (self scanning)Shamrock
G
15

Nmap can only retrieve the MAC address if you are scanning hosts on the local subnet, directly reachable via layer 2 (ethernet or wifi). When you scan hosts across a router (default gateway), your scanning host will talk to the router on layer 2 when sending/receiving layer 3 packets, and thus, Nmap would only be able to see the router's MAC address, but not the destination host MAC address.

(While it is technically possible under some circumstances to determine the MAC address of a non-local host through protocols such NetBIOS, SNMP etc., and there are NSE scripts for that purpose, Nmap does not generally do that.)

Gourmandise answered 17/5, 2012 at 12:53 Comment(4)
Is there an Nmap script that does what you said in the last sentence? I mean I understand the layer problem but it seems weird that I can find the remote host OS and not his MAC address.Off
OS detection relies on layer 3 and layer 4 characteristics of a host, such as which options, initial values and flags the IP and TCP headers contain. As for scripts, see for example nmap.org/nsedoc/scripts/nbstat.htmlGourmandise
I was looking at the same script, in fact it worked and I retrieved the MAC address, too bad there must be netbios service running on the target host :(Off
it does not work on windows, scanning nmap host (self scanning)Shamrock
S
0

I was also having a lack of MAC address and vendor reporting with version 5.61TEST5, but I just installed version 6.00 and all seems to be working again, so you may want to try that now.

Slake answered 7/6, 2012 at 3:8 Comment(1)
I tryed Nmap 6 yesterday but still no luck on retrieving mac addresses over VPN :(Off

© 2022 - 2024 — McMap. All rights reserved.