Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option
-sL will list all IP's that are the targets on an
Nmap command line.
Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the
-sL parameter we will get a list of IPs for all listed subnets.
Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the
-n option to force no dns lookups.
Below we have listed the IP addresses in the target subnet
-sL with no reverse DNS lookups
testsystem:~$ nmap -sL -n 192.168.1.0/30 Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3 Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds
grep | cut
In the second example the results are piped through
cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as
testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' ' 192.168.2.1 192.168.1.0 192.168.1.1 192.168.1.2 192.168.1.3
Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target
testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' ' 0.0.0.0 0.0.0.1 0.0.0.2 0.0.0.3 0.0.0.4 ***** ctrl-c, listing all IP addresses will waste a lot of pixels ******
The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the
-nthe command will attempt to resolve each IP address, this will take longer and will send dns queries.
Further targeting parameters that may be of use
When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the
--exclude parameter to not scan an IP within that range.
Use a dns server that is different than the default to perform reverse dns lookups
Select targets from a file using the
-iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.