6

I've found a strange behaviour in Nmap (I am using version 5.51 if that matters but I have the same issue with version 5.00), on some networks this plugin does not retrieve MAC address and, consequently, Vendor. The strange thing is that it retrieves almost everything like operating system and so on but it does not print the MAC address. How is that possible? This is the command I use usually:

nmap -A -O 192.168.1.0/24 -oX mynetwork.xml
tshepang
  • 12,111
  • 21
  • 91
  • 136
raz3r
  • 3,071
  • 8
  • 44
  • 66
  • 2
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Jun 20 '17 at 17:35

3 Answers3

18

The MAC address is only displayed when the scan is run with root privilege, so be sure to use sudo. As a diagnostic step, try doing a simple ping sweep (sudo nmap -sn 192.168.1.0/24), then immediately check your ARP cache (arp -an). If you don't see a lot of <incomplete>s, then Nmap isn't scanning your subnet properly. If you see 256 <incomplete>, and no MAC addresses, then something is wrong with your network setup, since you aren't seeing ARP responses to the requests Nmap is generating.

bonsaiviking
  • 5,825
  • 1
  • 20
  • 35
  • 1
    I guess Daniel is right, I can't see a single , actually I already tryed before both arp and tcpdump with no luck. TCPDump confirms the hypothesis because it only sees the default gateway MAC address on ICMP packets. – raz3r May 21 '12 at 14:47
  • Doing a simple ping sweep (using `nmap -sn `) doesn't require root, so no `sudo` needed there – villapx Jun 05 '17 at 18:52
  • Doing a simple ping sweep (using `nmap -sn `) doesn't require root, so no `sudo` needed there – villapx Jun 05 '17 at 18:52
  • 2
    @villapx True, but the question was why MAC address is not shown. Part 1 of answer was: use sudo. Part 2 was: if that does not work, check arp cache to diagnose. It doesn't make sense to diagnose a different scan than the one that is having problems. – bonsaiviking Jun 05 '17 at 21:40
  • @bonsaiviking I'm referring specifically to your `sudo nmap -sn 192.168.1.0/24` command. The `sudo` is not required there to do a simple ping sweep – villapx Jun 06 '17 at 21:43
  • 2
    @villapx True, it is not. But it **is** required to do an ARP ping sweep in such a way that Nmap is able to display MAC addresses. The user wants to see MAC addresses. The first suggestion is to use `sudo`, since Nmap cannot display MAC addresses without it. If that does not work, then performing the minimum amount of work (`-sn` and no other options) to test the ARP ping feature (**requiring `sudo`**) is the appropriate action. Not using `sudo` would give the user neither the MAC addresses nor any useful diagnostic information about the ARP scan. – bonsaiviking Jun 07 '17 at 01:27
  • When you are a privileged user, the ping sweep -sn , executes an ICMP echo, TCP ping with SYN and ACK and also an ICMP timestamp. When an unprivileged user scans, he only executes a TCP connect scan. That's one of the reasons -sn appears to fall short at times. – nassim Oct 30 '19 at 22:05
  • it does not work on windows, scanning nmap host (self scanning) – francogp Jun 08 '21 at 13:24
12

Nmap can only retrieve the MAC address if you are scanning hosts on the local subnet, directly reachable via layer 2 (ethernet or wifi). When you scan hosts across a router (default gateway), your scanning host will talk to the router on layer 2 when sending/receiving layer 3 packets, and thus, Nmap would only be able to see the router's MAC address, but not the destination host MAC address.

(While it is technically possible under some circumstances to determine the MAC address of a non-local host through protocols such NetBIOS, SNMP etc., and there are NSE scripts for that purpose, Nmap does not generally do that.)

Daniel Roethlisberger
  • 6,958
  • 2
  • 41
  • 59
  • Is there an Nmap script that does what you said in the last sentence? I mean I understand the layer problem but it seems weird that I can find the remote host OS and not his MAC address. – raz3r May 17 '12 at 13:14
  • OS detection relies on layer 3 and layer 4 characteristics of a host, such as which options, initial values and flags the IP and TCP headers contain. As for scripts, see for example http://nmap.org/nsedoc/scripts/nbstat.html – Daniel Roethlisberger May 17 '12 at 13:30
  • I was looking at the same script, in fact it worked and I retrieved the MAC address, too bad there must be netbios service running on the target host :( – raz3r May 17 '12 at 13:35
  • it does not work on windows, scanning nmap host (self scanning) – francogp Jun 08 '21 at 13:24
0

I was also having a lack of MAC address and vendor reporting with version 5.61TEST5, but I just installed version 6.00 and all seems to be working again, so you may want to try that now.

Kirk Ireson
  • 151
  • 3