How to exclude a range mac addresses with nmap

By   01-18-2015 · 1 minute read · 194 words

I needed to figure out how to exclude a group of Polycom VoIP devices from a nmap scan and couldn’t figure out how to exclude based on MAC addresses. With really ugly egrep, awk, and tr I was able to come up with a solution to populate an exclude list of IP addresses.

sudo nmap -sP | egrep "00:04:F2" -B 2 | awk '/^Nmap scan report/ { print $6 }' | tr -d '(' | tr -d ')' > exclude.txt

Here I’m performing a ping sweep on the entire subnet, searching all Mac addresses that begin with “00:04:f2” (the Polycom id) and printing 2 lines above the match. This will give me the IP address of the Polycom device. I then run the output into awk and tr to only print out the IP addresses and redirect the output to a file.

Once we have the file we run nmap with the “–excludefile” option and include our excluded IP addresses.

nmap -sP --excludefile exclude.txt

There might be a better solution to this, it’s very ugly in my opinion and I didn’t want to spend any more time crafting a more elegant solution.


comments powered by Disqus