I have an issue with Nmap. I have Kali on my vm installed.
I want to scan the network for live hosts. But when I’m logged as root try nmap -sP 192.168.0.* Nmap reports that every IP in the subnet 192.168.0.* was live. But actually, only 4 IPs are online.
Meanwhile, ping command return correct results; I can ping all and it only shows live hosts.
When I run nmap -sP --unprivileged 192.168.0.* Looks like it works, but it doesn’t return not all live hosts.
Why command n Nmap ap doesn’t work without --unprivileged flag? How can I run it correctly?
71 Answer
I still can't comment so I write you here so I hope I understood you right.
"How to scan for live hosts:"
is your question and I tested it for you on a normal linux computer and you see that at the first nmap listing it just shows what is stored from the last session. I than pinged the missing device and boom - it was shown at the second run.
[jack@jacks ~]$ sudo nmap -sP --unprivileged 192.168.178.* Starting Nmap 7.80 ( ) at 2019-12-18 01:30 CET Nmap scan report for fritz.box (192.168.178.1) Host is up (0.0013s latency). Nmap scan report for 192.168.178.2 Host is up (0.0014s latency). Nmap scan report for openwrtwan.lan (192.168.178.17) Host is up (0.0081s latency). Nmap scan report for 192.168.178.40 Host is up (0.024s latency). Nmap done: 256 IP addresses (4 hosts up) scanned in 2.91 seconds [jack@jacks ~]$ sudo nmap -sP --unprivileged 192.168.178.* Starting Nmap 7.80 ( ) at 2019-12-18 01:31 CET Nmap scan report for fritz.box (192.168.178.1) Host is up (0.0014s latency). Nmap scan report for 192.168.178.2 Host is up (0.0012s latency). Nmap scan report for lizzy (192.168.178.10) Host is up (0.057s latency). Nmap scan report for openwrtwan.lan (192.168.178.17) Host is up (0.00081s latency). Nmap scan report for 192.168.178.40 Host is up (0.10s latency). Nmap done: 256 IP addresses (5 hosts up) scanned in 34.92 seconds [jack@jacks ~]$ A brief from Nmap website:
-sn (No port scan)This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.
Why command n Nmap ap doesn’t work without --unprivileged flag?
It normally has similar results if either isn't actively blocked by the firewall and you experience a difference because you pinged between the runs.
How can I run it correctly?
Thats how: nmap -sn 192.168.1.0/24 and if you're sure about some target, you can use -sP