is it possible to get the MAC address for machine using nmap

Question

I have a list of remote machines in a text files. Can I know their MAC addresses using nmap ?

It may help you: http://stackoverflow.com/questions/10633753/nmap-not-retrieving-mac-address-and-vendor?rq=1 Please, read anserver. — user902691, Nov 03 '12 at 18:30
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. — jww, Jun 20 '17 at 17:32

score 72 · Answer 1 · answered Jan 04 '13 at 21:44

72

If you're using nmap, MAC addresses are only available if you're on the same network segment as the target. Newer versions of nmap will only show the MAC address to you if you're running as root.

i.e.:

sudo nmap -sP -n 192.168.0.0/24

answered Jan 04 '13 at 21:44

Karimi

1,387
1
13
19

18

Just to clarify: you don't need to use any specific option. If you run nmap as root (e.g. with sudo), it already gives MAC addresses, if it can (you need to be on same subnet of your targets). – gerlos Sep 25 '14 at 13:00
4

This attempt did not answer the question. nmap -sP does not show the MAC address. – theking2 Jan 05 '19 at 17:01
1

it does not work on windows.. no mac return – francogp Jun 08 '21 at 13:02
Note that this does not show any mac address if you are scanning an address belonging to an interface of your own computer, it is a trap if you are not paying attention – Ferrybig Jul 09 '21 at 15:02

score 21 · Answer 2 · edited Jul 26 '18 at 20:03

21

Use snmp-interfaces.nse nmap script (written in lua) to get the MAC address of remote machine like this:

nmap -sU -p 161 -T4 -d -v -n -Pn --script snmp-interfaces 80.234.33.182

Completed NSE at 13:25, 2.69s elapsed
Nmap scan report for 80.234.33.182
Host is up, received user-set (0.078s latency).
Scanned at 2014-08-22 13:25:29 Арабское время (зима) for 3s
PORT    STATE SERVICE REASON
161/udp open  snmp    udp-response
| snmp-interfaces: 
|   eth
|     MAC address: 00:50:60:03:81:c9 (Tandberg Telecom AS)
|     Type: ethernetCsmacd  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 1.27 Gb sent, 53.91 Mb received
|   lo
|     Type: softwareLoopback  Speed: 0 Kbps
|     Status: up
|_    Traffic stats: 4.10 Kb sent, 4.10 Kb received

edited Jul 26 '18 at 20:03

Andy

17,423
9
52
69

answered Aug 22 '14 at 09:30

user2328360

351
2
3

This worked for me, thanks a lot. Running: - Mac OS 10.11 - nmap installed using brew I was able to find the mac address of a linux box remotely. – Ernesto Iser Oct 21 '15 at 15:59
1

`-sU is UDP` `-p snmp port` `--script snmp-interfaces` Only this works fine to me. – Fabio Noth May 24 '19 at 13:12

score 12 · Answer 3 · edited Apr 13 '17 at 12:22

12

In current releases of nmap you can use:

sudo nmap -sn 192.168.0.*

This will print the MAC addresses of all available hosts. Of course provide your own network, subnet and host id's.

Further explanation can be found here.

edited Apr 13 '17 at 12:22

Community

1
1

answered Nov 29 '16 at 14:53

piscator

8,028
5
23
32

16

`sudo` is important. Without `sudo`, you won't get the MAC address output line. – jbryanscott Jul 09 '17 at 22:40
1

it does not work on windows.. no mac return – francogp Jun 08 '21 at 13:02
Doesn't work on my Ubuntu 20 LTS - `Nmap version 7.80` – Sridhar Sarnobat Sep 10 '21 at 19:08

score 4 · Answer 4 · answered Jan 09 '14 at 18:45

4

Some scripts give you what you're looking for. If the nodes are running Samba or Windows, nbstat.nse will show you the MAC address and vendor.

sudo nmap -sU -script=nbstat.nse -p137 --open 172.192.10.0/23 -oX 172.192.10.0.xml | grep MAC * | awk -F";" {'print $4'}

answered Jan 09 '14 at 18:45

user3126740

121
1
1
8

This answer was a God sent for identifying a rogue VPN client. THANKS!!! But you don't need the xml output, grep, or awk. – David Cahill Sep 24 '14 at 10:27

score 3 · Answer 5 · answered Aug 29 '14 at 11:36

nmap can discover the MAC address of a remote target only if

the target is on the same link as the machine nmap runs on, or
the target leaks this information through SNMP, NetBIOS etc.

Another possibility comes with IPv6 if the target uses EUI-64 identifiers, then the MAC address can be deduced from the IP address.

Apart from the above possibilities, there is no reliable way to obtain the MAC address of a remote target with network scanning techniques.

score 3 · Answer 6 · edited Apr 16 '19 at 05:56

if $ ping -c 1 192.168.x.x

returns

1 packets transmitted, 1 received, 0% packet loss, time ###ms

then you could possibly return the MAC address with arping, but ARP only works on your local network, not across the internet.

$ arping -c 1 192.168.x.x

ARPING 192.168.x.x from 192.168.x.x wlan0
Unicast reply from 192.168.x.x [AA:BB:CC:##:##:##]  192.772ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

finally you could use the AA:BB:CC with the colons removed to identify a device from its vendor ID, for example.

$ grep -i '709E29' /usr/local/share/nmap/nmap-mac-prefixes 
709E29 Sony Interactive Entertainment

score 2 · Answer 7 · edited Jun 24 '16 at 09:21

2

Yes, remember using root account.

=======================================

qq@peliosis:~$ sudo nmap -sP -n xxx.xxx.xxx

Starting Nmap 6.00 ( http://nmap.org ) at 2016-06-24 16:45 CST

Nmap scan report for xxx.xxx.xxx

Host is up (0.0014s latency).

MAC Address: 00:13:D4:0F:F0:C1 (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

edited Jun 24 '16 at 09:21

チーズパン

2,752
8
42
63

answered Jun 24 '16 at 08:48

g9164314

21
1

1

-sP is now known as -sn ("no port scan", ie. just do ping scan) – Heath Raftery May 15 '18 at 23:30

score 2 · Answer 8 · answered Jan 09 '17 at 19:17

I'm not cool enough to be able to comment on a post. so I guess I need to make a new post. However the above recommendation of "sudo nmap -sn 192.168.0.0/24" is the best quickest method to get the all the MACs for the IPs on your local network/vlan/subnet What the OP doesnt mention, is the only way to get the MAC address this way, you MUST use sudo(or other super user privs i.e. windows admin) the command nmap -sn 192.168.0.0/24 will discover hosts on your network, however will not return the MACs as you are not in SU mode of operation.

score 1 · Answer 9 · edited Jan 07 '15 at 17:36

With the recent version of nmap 6.40, it will automatically show you the MAC address. example:

nmap 192.168.0.1-255

this command will scan your network from 192.168.0.1 to 255 and will display the hosts with their MAC address on your network.

in case you want to display the mac address for a single client, use this command make sure you are on root or use "sudo"

sudo nmap -Pn 192.168.0.1

this command will display the host MAC address and the open ports.

hope that is helpful.

score 1 · Answer 10 · answered Aug 28 '14 at 23:47

1

Just the standard scan will return the MAC.

nmap -sS target

answered Aug 28 '14 at 23:47

iNoob

1,375
3
19
47

Only if the target is on the same link. – countermode Aug 29 '14 at 11:31
what do you mean same link? Same subnet? – iNoob Aug 29 '14 at 12:08
Yes. The terms link, subnet, LAN, network segment, and broadcast domain all mean the same. – countermode Aug 29 '14 at 13:23
2

@countermode if you say so :) – iNoob Aug 29 '14 at 16:14
it does not work on windows.. no mac return – francogp Jun 08 '21 at 13:01

score 1 · Answer 11 · answered Aug 14 '15 at 15:29

1

Not using nmap... but this is an alternative...

arp -n|grep -i B0:D3:93|awk '{print $1}'

answered Aug 14 '15 at 15:29

Pipo

4,653
38
47

Wow so simple and so effective – Sridhar Sarnobat Sep 10 '21 at 19:21

is it possible to get the MAC address for machine using nmap

11 Answers11