List all IPs in Subnet with Nmap

-sL  -n

Below we have listed the IP addresses in the target subnet -sL with no reverse DNS lookups -n

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

grep | cut

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

0.0.0.0/0

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

Further targeting parameters that may be of use

--exclude

When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.

--dns-server

Use a dns server that is different than the default to perform reverse dns lookups --dns-server.

-iL

Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.