Home / server / Questions / 586714
Accepted
HTF
Asked: 2014-04-05 05:32:46 +0800 CST

Nmap: find free IPs from the range

  • 772

Is there a way to scan for free IPs on the network? I use nmap -sP 192.168.1.0/24 but this actually shows hosts that are up.

nmap

4 Answers

  1. Best Answer

    Using Nmap like this is a fairly accurate way of doing what you asked, provided that some preconditions are true:

    1. You must run the scan as root (or Administrator on Windows) in order to send ARP requests, not TCP connections. Otherwise the scan may report an address as "down" when it is simply firewalled.
    2. You can only do this from a system on the same data link (layer 2) as the address range you are scanning. Otherwise, Nmap will need to use network-layer probes which can be blocked by a firewall.

    In order to get the "available" addresses, you need to get the list of addresses that Nmap reports as "down." You can do this with a simple awk command:

    sudo nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'

    Summary of Nmap options used:

    • When you use the -v option, Nmap will print the addresses it finds as "down" in addition to the ones that are "up".
    • Instead of -sP, I've substituted the newer spelling -sn, which still accomplishes the same scan, but means "skip the port scan" instead of the misleading "Ping scan" (since the host discovery phase does not necessarily mean an ICMP Echo scan or Ping).
    • The -n option skips reverse DNS lookups, which buys you a bit of time, since you aren't interested in names but just IP addresses.
    • The -oG option tells Nmap to output grepable format, which is easier for awk to process. The argument "-" tells it to send this output to stdout.

    The awk command then searches for "Status: Down" and prints the second field, containing the IP address.

    Of course, if you have access to the switch's running configs or the DHCP server's leases, you could get this answer much more authoritatively without doing a scan that could set off security alarms.

    • 31

  2. Not sure about n-map, but one could reasonably assume that if you write a ping script that sends 1 ping to each address that any hosts that come back with "destination unreachable" is unoccupied, and anything that comes back "request time out" is occupied but not responding to ping. The difference between the two responses is that "destination unreachable" did not receive a response to its ARP request. "Request time out" means something did respond to the ARP request, but not the ICMP packet.

    • 1

  3. Here is another one inspired by Anders Larsson

    for ip in 172.18.5.{129..254}; do { ping -c 1 -W 1 $ip ; } &> /dev/null || echo $ip & done | sort

    Which it means: "Try to ping all the Ips in the range. If the "ping" fails print that IP"

    If you do

    nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'

    Works fast, but I noticed some hosts reported as "Down" are actually "Up"

    • 1

  4. Here's the same thing in PowerShell....

    ((nmap -v -sn -n 10.208.2.0/24 -oG - ) -match "Status\:\sDown") | foreach {($_).Split(" ")[1]}
    • 0