List all IPs in Subnet with Nmap

Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

In this example we have listed the IP addresses in the target subnet with no reverse DNS lookups.

More Nmap Tips to get the most of out of this powerful tool.

Nmap Tips

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use;

  • When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.
  • Use a dns server that is different than the default to perform reverse dns lookups --dns-server.
  • Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.

Our hosted version of Nmap allows you to scan for open ports on any Internet facing IP address. Let us do the management for you.
Share this Post
Share on FacebookTweet about this on TwitterShare on Google+Share on StumbleUpon

,