I have a remote machine in a network that I don’t manage, and one day the not-so-static IP changed. Without the new IP address I found myself unable to SSH back in. How do you find a computer in a subnet if you don’t know its address?

I tried to ping around to look for the hostname of my machine, without much success. In the end, I could locate my lost IP with a simple nmap. Here are some notes, in case I hit the same problem again – but hopefully next time my scripts will update the DNS records before I’m locked out.

Run nmap to scan the whole subnet:

sudo nmap -sn --script "default and safe" -oX nmap.xml  111.11.11.0/21

What do the options mean here?

  • Run as root to get some extra information, such as the OS
  • Use a gentle approach: no port scanning (-sn) and only safe default scripts
  • Store the result as an XML file (-ox) to explore later. -oG can be useful if you want to automate things with grep.
  • Scan all the IP addresses from the subnet with mask 255.255.248.0. This mask cheat sheet can be useful instead of counting bits.

Also: if nmap takes a while to run, you can press v to make it more verbose and see what’s happening, and press any other key (e.g. space) to print the current progress.

Convert the output to a readable format:

xsltproc nmap.xml -o nmap.html

Then, open this file in a browser and check out the machines in the subnet. The report has some useful information such as the manufacturer, the MAC address (if you know which address you’re looking for, you’re done!) and the reverse DNS (so you can eliminate machines that have hostnames you know can’t be yours).

If your subnet is not too large and if you can narrow it down further thanks to the Nmap report, you can just try to SSH into the machines one by one until you get in – either by hand or with some script.