• Subscribe to the low volume list for updates.

List all IPs in Subnet with Nmap

Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

In this example we have listed the IP addresses in the target subnet with no reverse DNS lookups.

With a multitude of options, learn how to to get the most from this powerful tool.

testsystem:~$ nmap -sL -n

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for
Nmap scan report for
Nmap scan report for
Nmap scan report for
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as

testsystem:~$ nmap -sL -n, | grep 'Nmap scan report for' | cut -f 5 -d ' '

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target

testsystem:~$ nmap -sL -n | grep 'Nmap scan report for' | cut -f 5 -d ' '
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use

  • When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.
  • Use a dns server that is different than the default to perform reverse dns lookups --dns-server.
  • Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.
Know Your Network
Hosted Nmap for external port scanning