Using nmap to Generate Host Lists

I wrote a quick little tutorial on how to use nmap to generate a list
of hosts.

http://systemnotesorg.blogspot.com/2...ost-lists.html

I hope it is useful to someone.

On 2 Apr 2007, in the Usenet newsgroup comp.os.linux.networking, in article
<1175552212.738277.115340@y80g2000hsf.googlegroups .com>, systemnotes@gmail.com
wrote:

>I wrote a quick little tutorial on how to use nmap to generate a list
>of hosts.
>
>http://systemnotesorg.blogspot.com/2007/04/
using-nmap-to-generate-host-lists.html
[Indented material below is from a snapshot of that page grabbed around
04:00 UTC on 03 April 2007]

Using nmap to Generate Host Lists

An easy way to get a list of hosts from a single domain that you are a
part of, is to query DNS

host -l mydomain.com

But that is not always practical. Sometimes you have machines that are
in different domains, but they all are part of a network you manage.
Rather than trying write a script that pings hosts and reports the
output, just use nmap for a very fast scan.

Two problems - the primary being that you are still depending on DNS to
provide name resolution, and despite the inverse resolution function
being a part of DNS since the earliest documents ("may" in RFC0882, and
required in RFC1035, but see also RFC1536, 1912, 2050, 2181, and others)
a lot of network administrators don't think it necessary to provide this
service. This is a big problem in the insecure world of microsoft
brainwashed admins who think DHCP and mDNS is adequate. Thus, you can't
depend on getting a correct answer from the DNS.

Secondly, be VERY careful using nmap to scan a network. Some security
and network administrators react harshly to such scans, deeming them to
be abuse.

>I hope it is useful to someone.

The "ping every host" technique (or pinging a broadcast address) has
been much less useful since about 1995, when skript-kiddiez discovered
the Internet, and how to knock a windoze box off the air just by pinging
it. As a result, many networks block ICMP Echo, and many administrators
have disabled ping responders on the individual hosts. Additional forms
of abuse have resulted in additional firewall rules, and disabled
services. Even _detecting_ the existence of a system is more difficult,
given network switches in place of hubs or coaxial networks. None the
less, using a packet sniffer such as 'tcpdump', 'ethereal' (now called
'wireshark') or even 'ngrep' is often more successful, even though they
are passive tools, and only provide information when the "targets" are
transmitting.

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.0.0) appears to be down.
Host box1.mydomain.com (192.168.0.1) appears to be up.

[...]

Notice how names are resolved for existing hosts, but only an IP is
returned, if there is no DNS record (e.g. 192.168.0.0).

In your example, you are using /24 networks, which means that the first
IP address (here, 192.168.0.0) is the "network" address, not a host
(just as the last address - here, 192.168.0.255 - would be the broadcast
address). Some operating systems allow the "network" address to be used
as a host, but this is much less common.

echo "nmap -sP -R -iL subnets.dat | grep "to be up" | awk '{print
\$2}' "

Minor typo - the slash belongs at the end of the first line, as it is
escaping the newline that immediately follows.

To get rid of the parenthesis, I redirected the output to
hosts_up.dat, and piped the output to grep and awk to illustrate:

cat hosts_up.dat | grep \( | awk -F[\(\)] '{print $2}

Overkill - awk is more expensive to use than "tr -d '()'" ;-)

Old guy

On Tue, 03 Apr 2007 14:50:37 -0500, Moe Trin wrote:
>
> The "ping every host" technique (or pinging a broadcast address) has
> been much less useful since about 1995, when skript-kiddiez discovered
> the Internet, and how to knock a windoze box off the air just by pinging
> it.

And, the Winders boxen (at least my First Wife's XP) do *not* respond
to a ping on a broadcast address.

Jonesy