- Nmap Network Scanning
- Chapter3.Host Discovery (“Ping Scanning”)
- Specifying Target Hosts and Networks
Everything on the Nmap command-line that isn't an option (oroption argument) is treated as a target host specification. Thesimplest case is to specify a target IP address or hostname for scanning.
Sometimes you wish to scan a whole network of adjacent hosts. Forthis, Nmap supports CIDR-style addressing. You can append/ to an IPv4address or hostname and Nmap will scan every IP address for which thefirst <numbits><numbits> are the same as for thereference IP or hostname given. For example,192.168.10.0/24 would scan the 256 hostsbetween 192.168.10.0(binary: 11000000 10101000 00001010 00000000)and 192.168.10.255(binary: 11000000 10101000 00001010 11111111),inclusive.192.168.10.40/24 would scan exactly the same targets. Giventhat the hostscanme.nmap.orgis at the IP address 64.13.134.52, the specificationscanme.nmap.org/16 would scan the 65,536 IP addressesbetween 64.13.0.0 and 64.13.255.255. The smallest allowed value is/0, which targets the whole Internet. The largestvalue is /32, which scans just the named host or IPaddress because all address bits are fixed.
CIDR notation is short but not always flexible enough. For example, youmight want to scan 192.168.0.0/16 but skip any IPs ending with .0 or.255 because they may be used as subnet network and broadcast addresses. Nmap supportsthis through octet range addressing. Rather than specify a normal IPaddress, you can specify a comma-separated list of numbers or rangesfor each octet. For example, 192.168.0-255.1-254 will skip alladdresses in the range that end in .0 or .255, and 192.168.3-5,7.1 willscan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and192.168.7.1. Either side of a range may be omitted; the default valuesare 0 on the left and 255 on the right. Using - byitself is the same as 0-255, but remember to use0- in the first octetso the target specification doesn't look like a command-line option.Ranges need not be limited to the final octets: the specifier0-255.0-255.13.37 will perform an Internet-wide scan for all IPaddresses ending in 13.37. This sort of broad sampling can be usefulfor Internet surveys and research.
IPv6 addresses can only be specified by their fully qualified IPv6address or hostname. CIDR and octet ranges aren't supported forIPv6 because they are rarely useful.
Nmap accepts multiple host specifications on the command line,and they don't need to be the same type. The command nmapscanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does whatyou would expect.
Input From List (-iL)
Passing a huge list of hosts is often awkward on the commandline, yet it is a common need. For example, your DHCP server mightexport a list of 10,000 current leases that you wish to scan. Ormaybe you want to scan all IP addresses exceptfor those ones to locate hosts using unauthorized static IP addresses. Simplygenerate the list of hosts to scan and pass that filename to Nmap asan argument to the -iL option. Entries can be in anyof the formats accepted by Nmap on the command line (IP address,hostname, CIDR, IPv6, or octet ranges). Each entry must be separatedby one or more spaces, tabs, or newlines. You can specify a hyphen(-) as the filename if you want Nmap to read hostsfromstandard inputrather than an actual file.
Choose Targets at Random (-iR <numtargets>)
<numtargets>For Internet-wide surveys and other research, you may want tochoose targets at random. This is done with the -iRoption, which takes as an argument the number of IPs to generate.Nmap automatically skips certain undesirableIPs, suchas those in private, multicast, or unallocated address ranges. Theargument 0 can be specified for a never-endingscan. Keep in mind that some network administrators bristle atunauthorized scans of their networks. Carefully readthe section called “Legal Issues” before using -iR.
If you find yourself really bored one rainy afternoon, try thecommand nmap -sS -PS80 -iR 0 -p 80to locate random web servers for browsing.
Excluding Targets (--exclude,--excludefile <filename>)
<filename>It is common to have machines which you don't want toscan under any circ*mstances. Machines can be so critical that youwon't take any risk of an adverse reaction. You might be blamed for acoincidental outage even if the Nmap scan had nothing to do with it.Or perhaps you have legacy hardware that is known to crash whenscanned, but you haven't been able to fix or replace it yet. Or maybecertain IP ranges represent subsidiary companies, customers, orpartners that you aren't authorized to scan. Consultants often don'twant their own machine included in a scan of their client's networks.Whatever the reason, you can exclude hosts or entire networks with the--exclude option. Simply pass the option acomma-separated list of excluded targets and netblocks using thenormal Nmap syntax. Alternatively, you can create a file of excludedhosts/networks and pass that to Nmap withthe --excludefile option. The--exclude option doesn't mix with IP ranges that usecommas (192.168.0.10,20,30) because--exclude itself uses commas. Use--excludefile in these cases.
Practical Examples
While some tools have simple interfaces that only allow a listof hosts or maybe let you specify the start and end IP addresses for arange, Nmap is much more powerful and flexible. But Nmap can also bemore difficult to learn—and scanning the wrong IP addresses isoccasionally disastrous. Fortunately, Nmap offers a dry run using thelist scan(-sL option).Simply executenmap -sL -n <targets> tosee which IPs would be scanned before you actually do it.
Examples may be the most effective way to teach the Nmap hostspecification syntax. This section provides some, starting with the simplest.
- nmap scanme.nmap.org, nmap scanme.nmap.org/32, nmap 64.13.134.52
These three commands all do the same thing, assuming that scanme.nmap.org resolves to 64.13.134.52. They scan that one IP and then exit.
- nmap scanme.nmap.org/24, nmap 64.13.134.52/24, nmap 64.13.134.-, nmap 64.13.134.0-255
These four commands all ask Nmap to scan the 256 IP addresses from 64.13.134.0 through 64.13.134.255. In other words, they ask to scan the class C sized address space surrounding scanme.nmap.org.
- nmap 64.13.134.52/24 --exclude scanme.nmap.org,insecure.org
Tells Nmap to scan the class C around 64.13.134.52,but to skip scanme.nmap.org and insecure.org if they are foundwithin that address range.
- nmap 10.0.0.0/8 --exclude10.6.0.0/16,ultra-sensitive-host.company.com
Tells Nmap to scan the whole private 10 range exceptthat it must skip anything starting with 10.6 as well as ultra-sensitive-host.company.com.
- egrep '^lease' /var/lib/dhcp/dhcpd.leases | awk '{print $2}' | nmap -iL -
Obtain the list of assigned DHCP IP addresses and feed them directly to Nmap for scanning. Note that a hyphen is passed to
-iLto read fromstandard input.- nmap -6 2001:800:40:2a03::3
Scans the IPv6 host at address 2001:800:40:2a03::3.
