Detecting unauthorised devices using NMAP

By | 24th January 2019

NMAP is a fairly handing security scanning tool, though it does have its idiosyncrasies.

The simple script (running from /root/macscan/macscan) below will use a “-sP” scan mode of NMAP to identify MAC addresses on the local network, and report any which are not previously known.

This assumes any device will respond to an ICMP “ping” packet, and all devices are within one network segment. This cannot be guaranteed. Changing the scan type to “-sn” will test with a combination: an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.

Passing “initialise” as a parameter to the script will “learn” the MAC addresses currently found on the network, and use this as the “approved list” for future detection scans.

If unauthorised detections are found, the “” script will pull up the output from the script and mail a predefined mail account with details of the new detections. This is a simple mailer that interacts with a suitable MTA, such as that provided by your ISP.

#macscan - uses nmap to scan an IP range
#   and detects non-matches to a whitelist
cd /root/macscan
if [[ $@ == **initialise** ]]
nmap -sP [IP address spec] -oN - > nm.stdout
grep "MAC Address" nm.stdout > pats.grep
echo "MAC scanner (re)initialised to present device list"
nmap -sP [IP address spec] -oN - > nm.stdout
detections=$(grep "MAC Address" nm.stdout | grep -v -F -f pats.grep)
if [[ $detections ]]; then
echo "--------------------" > /root/macscan/detmail.txt
echo "Unknown MAC address detections " >> /root/macscan/detmail.txt
echo "--------------------" >> /root/macscan/detmail.txt
echo "" >> /root/macscan/detmail.txt
echo "${detections}" >> /root/macscan/detmail.txt

This can be scheduled using cron to frequently scan every 40 mins:

*/40 * * * * /root/macscan/macscan

This is a simple script and schedule that will not detect all unauthorised use, but assuming benign users some useful data can be gained.