nmap由非ROOT用户扫描远程计算机的MAC地址

Question

Env- Centos 7 , nmap 6.40

Currently I'm trying to fetch MAC/HW addresses for few list of IP's via nmap command utility and with root user its working perfectly.

As root user

nmap -sP -PE   -iL <list-of-IPs> 

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:05 EDT Nmap scan report for 192.168.xx.xx Host is up (0.0015s latency). MAC Address: XX:XX:XX:XX:XX:XX

As non-root user

nmap -sP -PE   -iL <list-of-IPs>

Warning: You are not root -- using TCP pingscan rather than ICMP

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:19 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds

Requesting your suggestion/help how the same to be achieve via normal user.

Thanks

Answer 1

It is possible to run nmap as non-root user. This Wiki describes pretty good how to set everything up to run it as an unprivileged user. The linked tutorial also describes this for Ubuntu and Red Hat systems, which should be good for you since you are on CentOS.

I think it is important to keep this security warning in mind:

WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It's possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.

Summary from the Wiki:

1. Restrict access to certain groups, for example adm . Make sure that you use the right location of nmap . In my case, this was /usr/bin/nmap :

sudo chgrp adm /usr/bin/nmap
sudo chmod 750 /usr/bin/nmap

2. Make sure the setcap command is installed ( more information about capabilities here ):

sudo yum install libcap

3. Now, set the capabilities. Once again, make sure to use the right location.

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap

4. Finally, you are able to run nmap as unprivileged user. But, you have to explicitly define that you want to do so. You can define it as an argument of nmap

nmap --privileged -sP -PE -iL <list-of-IPs>

or as an environmental variable:

export NMAP_PRIVILEGED=""

Edit: I don't exactly know why this answer is being down-voted since this is one possible answer to the question (although the question is of course better suited for Super User or Unix & Linux Stack Exchange). I added the results from my own systems with and without --privileged below:

$ nmap -sP -PE 192.168.0.1
Warning:  You are not root -- using TCP pingscan rather than ICMP

Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0011s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

$ nmap --privileged -sP -PE 192.168.0.1

Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0014s latency).
MAC Address: XX:XX:XX:XX:XX:XX (<MANUFACTURER NAME>)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

Answer 2

Nmap must be run as root in order to retrieve this information. Fortunately, there are other sources of MAC address information on a Linux system: the system's ARP tables. After making an attempt to contact an IP address (either using Nmap or some other tool like ping ), run arp -n to print the table of IP-to-MAC address mappings.