nmap find all alive hostnames and IPs in LAN

nmap

How can I issue a nmap command that shows me all the alive machines' IP addresses and corresponding hostname s in the LAN that I am connected? (if this can be done in another way/tool you surely are welcome to answer)


nmap versions lower than 5.30BETA1:

nmap -sP 192.168.1.*

newer nmap versions:

nmap -sn 192.168.1.*

This gives me hostnames along with IP adresses, and only pings the hosts to discover them. This will only give you the hostnames if you run it as root.

EDIT: As of Nmap 5.30BETA1 [2010-03-29] -sP has been replaced with -sn as the preferred way to do ping scans, while skipping port scanning, just like the comments indicate:

Previously the -PN and -sP options were recommended. This establishes a more regular syntax for some options that disable phases of a scan:

  • -n no reverse DNS
  • -Pn no host discovery
  • -sn no port scan

nmap -sP 192.168.1.0/24

Note that name resolution is only as good as the reverse-dns population is. Also note that this won't get you systems which are firewalled against ping (which practically every windows workstation is by default).

If you are local to the systems (ie on the same subnet) you can do something like

for i in `seq 1 254` ; do arping -c 1 192.168.1.$i | grep reply ; done

...but weird things happen to me sometimes when I wrap arping up in a loop. Also you have to do the lookup yourself, with something like

dig +short -x $IP

You can scan an entire subnet, can use wildcards also.

nmap 192.168.8.*

or

nmap 192.168.8.1/24

NMAP will return the 'reverse-lookup' of the IP address in question, it can't return the forward lookup address. Or addresses in the case of Web Servers doing name-based virtual hosting. Nmap isn't the tool for this.


nmap -sP 192.168.0.0/24 will output something like :

> nmap -sP 192.168.0.0/24

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2010-06-22 22:27 CEST
Host 192.168.0.0 appears to be up.
Host 192.168.0.1 appears to be up.
Host abcd.domain.tld (192.168.0.2) appears to be up.
Host def.domain.tld (192.168.0.3) appears to be up.
Host fdsf.domain.tld (192.168.0.4) appears to be up.
Host reht.domain.tld (192.168.0.5) appears to be up.
Host vcxbfd.domain.tld (192.168.0.6) appears to be up.
Host ezqs.domain.tld (192.168.0.7) appears to be up.
Host 192.168.0.8 appears to be up.
Host ilolio.domain.tld (192.168.0.9) appears to be up.
Host ipbd.domain.tld (192.168.0.10) appears to be up.
Host cdekf.domain.tld (192.168.0.11) appears to be up.
Host 192.168.0.12 appears to be up.
Host 192.168.0.13 appears to be up.
Host 192.168.0.14 appears to be up.
Host 192.168.0.15 appears to be up.
Host ainv.domain.tld (192.168.0.16) appears to be up.
Host 192.168.0.17 appears to be up.
Host 192.168.0.18 appears to be up.
Host wzdkz.domain.tld (192.168.0.19) appears to be up.
[…]
Nmap finished: 256 IP addresses (256 hosts up) scanned in 7.491 seconds

Related

Why can't MX records point to an IP address?
How to make PuTTY settings persistent? [closed]
Why hasn't rsync caught on in the Windows world? [closed]
What range of MAC addresses can I safely use for my virtual machines?
How to make bash scripts print out every command before it executes?
How do I prevent apache from serving the .git directory?
How to filter http traffic in Wireshark?
In systemd, what's the difference between After= and Requires=?
How to prevent a user from login in, but allow "su - user" in Linux?
Is it better practice to buy RAID disks individually vs. in bulk?
Why does my OpenSSH key fingerprint not match the AWS EC2 console keypair fingerprint?
Differences and dis/advanages between: Fast-CGI, CGI, Mod-PHP, SuPHP, PHP-FPM