How to Retrieve MAC Address of Remote Non-Domain Computer Using PowerShell & ARP


2 views

When working with remote systems outside your domain, traditional methods like getmac or WMI queries often fail due to RPC server unavailability. Here's a technical deep dive into alternative approaches that actually work.

Before attempting MAC address retrieval, ensure:

  • Firewalls allow ICMP (ping) and ARP traffic between hosts
  • Both machines are on the same subnet (as in your 192.168.2.x case)
  • Network discovery is enabled on the remote machine

Force-populate the ARP cache before querying:

ping -n 1 192.168.2.41 > nul
arp -a 192.168.2.41 | findstr /i "192.168.2.41"

For more reliable results across networks, try this PowerShell function:

function Get-RemoteMAC {
    param (
        [string]$IPAddress
    )
    $ping = New-Object System.Net.NetworkInformation.Ping
    $ping.Send($IPAddress) | Out-Null
    $arp = arp -a | Select-String "$IPAddress"
    if ($arp -match "(..-..-..-..-..-..)") {
        $matches[1]
    }
}

Get-RemoteMAC -IPAddress "192.168.2.41"

For stubborn cases, consider these advanced techniques:

  • Nmap Scan: nmap -sU -p 161 192.168.2.41 --script snmp-interfaces (requires SNMP)
  • Packet Capture: Use Wireshark with filter: eth.src == <remote_ip>
  • DHCP Server Logs: Check lease assignments if you control the DHCP server

If you still get "No ARP entries found":

  1. Verify physical connectivity (try pinging again)
  2. Check for IP conflicts using arp -a
  3. Test with disabled firewalls temporarily
  4. Confirm subnet mask correctness on both ends

When attempting to get the MAC address of a remote computer not in your domain, traditional methods like arp -a often fail because they rely on cached ARP entries. The ARP table only contains recently communicated devices, and if no traffic has been exchanged, you'll see "No ARP entries found".

arp -a 192.168.2.41
Interface: 192.168.2.40 --- 0x10
  Internet Address      Physical Address      Type
  192.168.2.41          (incomplete)          dynamic

For Windows environments, PowerShell provides more robust options. The following script uses WMI (requires admin rights and proper firewall settings):

$remoteIP = "192.168.2.41"
$mac = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -ComputerName $remoteIP -Filter "IPEnabled='True'" | 
       Select-Object -ExpandProperty MACAddress
Write-Output "Remote MAC: $mac"

When standard Windows tools fail, network scanning tools like Nmap can help. This requires Nmap installed and proper network permissions:

nmap -sP 192.168.2.41/32

After scanning, check your ARP table again - Nmap's ping sweep often populates the ARP cache.

The "RPC server unavailable" error indicates blocked ports or disabled services. Ensure these services are running on the remote machine:

  • Remote Registry Service
  • Windows Management Instrumentation (WMI)
  • File and Printer Sharing

Firewall must allow:

TCP 135 (RPC Endpoint Mapper)
TCP 445 (SMB)
UDP 137-138, TCP 139 (NetBIOS)

If you just need the MAC for Wake-on-LAN, you can sometimes extract it from magic packets received by the target:

# PowerShell WoL packet sender that reveals MAC in network captures
$mac = "01:23:45:67:89:AB"
$packet = [byte[]](,0xFF * 102)
6..101 | % { $packet[$_] = [byte]($mac.split(':')[$_%6],16) }
$udp = New-Object System.Net.Sockets.UdpClient
$udp.Send($packet, $packet.Length, "192.168.2.255", 9)