List all IPs in Subnet with Nmap

Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

The Next Level

Discover powerful features and tips for this powerful tool.

-sL  -n

Below we have listed the IP addresses in the target subnet -sL with no reverse DNS lookups -n

testsystem:~$ nmap -sL -n

Starting Nmap 6.25 ( ) at 2014-05-17 23:33 EST
Nmap scan report for
Nmap scan report for
Nmap scan report for
Nmap scan report for
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

grep | cut

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as

testsystem:~$ nmap -sL -n, | grep 'Nmap scan report for' | cut -f 5 -d ' '

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target

testsystem:~$ nmap -sL -n | grep 'Nmap scan report for' | cut -f 5 -d ' '
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******
The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use


When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.


Use a dns server that is different than the default to perform reverse dns lookups --dns-server.


Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.

Next Level Your Technical Network Intelligence

Use Cases and More Info

  • 13 Vulnerability Scanners
  • 17 Free DNS & Network Tools
  • 4+ Billion Records of DNS / IP data