• Subscribe to the low volume list for updates.

List all IPs in Subnet with Nmap

Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

With a multitude of options, learn how to to get the most from this powerful tool.

-sL  -n

Below we have listed the IP addresses in the target subnet -sL with no reverse DNS lookups -n

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

grep | cut

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

0.0.0.0/0

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******
The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use

--exclude

When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.

--dns-server

Use a dns server that is different than the default to perform reverse dns lookups --dns-server.

-iL

Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.

Know Your Network
Hosted Nmap for external port scanning