Target Specification

Nmap Network Scanning
Chapter15.Nmap Reference Guide
Target Specification

Everything on the Nmap command-line that isn't an option (oroption argument) is treated as a target host specification. Thesimplest case is to specify a target IP address or hostname for scanning.

When a hostname is given as a target, it is resolved via the Domain Name System (DNS) to determine the IP address to scan. If the name resolves to more than one IP address, only the first one will be scanned. To make Nmap scan all the resolved addresses instead of only the first one, use the --resolve-all option.

Sometimes you wish to scan a whole network of adjacent hosts. Forthis, Nmap supports CIDR-style addressing. You can append/<numbits> to an IPaddress or hostname and Nmap will scan every IP address for which thefirst <numbits> are the same as for thereference IP or hostname given. For example,192.168.10.0/24 would scan the 256 hostsbetween 192.168.10.0(binary: 11000000 10101000 00001010 00000000)and 192.168.10.255(binary: 11000000 10101000 00001010 11111111),inclusive.192.168.10.40/24 would scan exactly the same targets. Giventhat the hostscanme.nmap.orgis at the IP address 64.13.134.52, the specificationscanme.nmap.org/16 would scan the 65,536 IP addressesbetween 64.13.0.0 and 64.13.255.255. The smallest allowed value is/0, which targets the whole Internet. The largestvalue for IPv4 is /32, which scans just the named host or IPaddress because all address bits are fixed. The largest value for IPv6 is/128, which does the same thing.

CIDR notation is short but not always flexible enough. For example, youmight want to scan 192.168.0.0/16 but skip any IPs ending with .0 or.255 because they may be used as subnet network and broadcast addresses. Nmap supportsthis through octet range addressing. Rather than specify a normal IPaddress, you can specify a comma-separated list of numbers or rangesfor each octet. For example, 192.168.0-255.1-254 will skip alladdresses in the range that end in .0 or .255, and 192.168.3-5,7.1 willscan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and192.168.7.1. Either side of a range may be omitted; the default valuesare 0 on the left and 255 on the right. Using - byitself is the same as 0-255, but remember to use0- in the first octetso the target specification doesn't look like a command-line option.Ranges need not be limited to the final octets: the specifier0-255.0-255.13.37 will perform an Internet-wide scan for all IPaddresses ending in 13.37. This sort of broad sampling can be usefulfor Internet surveys and research.

IPv6 addresses can be specified by their fully qualified IPv6address or hostname or with CIDR notation for subnets. Octet rangesaren't yet supported for IPv6.

IPv6 addresses with non-global scope need to have a zone ID suffix. OnUnix systems, this is a percent sign followed by an interface name; acomplete address might be fe80::a8bb:ccff:fedd:eeff%eth0.On Windows, use an interface index number in place of an interface name:fe80::a8bb:ccff:fedd:eeff%1. You can see a list ofinterface indexes by running the commandnetsh.exe interface ipv6 show interface.

Nmap accepts multiple host specifications on the command line,and they don't need to be the same type. The command nmapscanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does whatyou would expect.

While targets are usually specified on the command lines, the following options are also available to control target selection:

-iL <inputfilename> (Input from list)

Reads target specifications from <inputfilename>. Passing a huge list of hosts is often awkward on the command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the filename if you want Nmap to read hosts from standard input rather than an actual file.

The input file may contain comments that start with # and extend to the end of the line.

-iR <num hosts> (Choose random targets)

For Internet-wide surveys and other research, you may want to choose targets at random. The <num hosts> argument tells Nmap how many IPs to generate. Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are automatically skipped. The argument 0 can be specified for a never-ending scan. Keep in mind that some network administrators bristle at unauthorized scans of their networks and may complain. Use this option at your own risk! If you find yourself really bored one rainy afternoon, try the command nmap -Pn -sS -p 80 -iR 0 --open to locate random web servers for browsing.

--exclude <host1>[,<host2>[,...]] (Exclude hosts/networks)

Specifies a comma-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This can be useful when the network you wish to scan includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by other people.

--excludefile <exclude_file> (Exclude list from file)

This offers the same functionality as the --exclude option, except that the excluded targets are provided in a newline-, space-, or tab-delimited <exclude_file> rather than on the command line.

The exclude file may contain comments that start with # and extend to the end of the line.

-n (No DNS resolution)

Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.

-R (DNS resolution for all targets)

Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.

--resolve-all (Scan each resolved address)

If a hostname target resolves to more than one address, scan all of them. The default behavior is to only scan the first resolved address. Regardless, only addresses in the appropriate address family will be scanned: IPv4 by default, IPv6 with -6.

--unique (Scan each address only once)

Scan each IP address only once. The default behavior is to scan each address as many times as it is specified in the target list, such as when network ranges overlap or different hostnames resolve to the same address.

--system-dns (Use system DNS resolver)

By default, Nmap reverse-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are performed in parallel to improve performance. Specify this option to use your system resolver instead (one IP at a time via the getnameinfo call). This is slower and rarely useful unless you find a bug in the Nmap parallel resolver (please let us know if you do). The system resolver is always used for forward lookups (getting an IP address from a hostname).

--dns-servers <server1>[,<server2>[,...]] (Servers to use for reverse DNS queries)

By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (Unix) or the Registry (Win32). Alternatively, you may use this option to specify alternate servers. This option is not honored if you are using --system-dns. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.

This option also comes in handy when scanning private networks. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are. You can scan the network for port 53 (perhaps with version detection), then try Nmap list scans (-sL) specifying each name server one at a time with --dns-servers until you find one which works.

This option might not be honored if the DNS response exceeds the size of a UDP packet. In such a situation our DNS resolver will make the best effort to extract a response from the truncated packet, and if not successful it will fall back to using the system resolver. Also, responses that contain CNAME aliases will fall back to the system resolver.

Target Specification | Nmap Network Scanning (2024)

FAQs

Is using Nmap illegal? ›

When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.

Read On ›

How to scan a target using Nmap? ›

Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines.

Discover More Details ›

Which scan allows you to scan OS details of your target? ›

Operating system (OS) detection is a feature in Nmap that remotely scans a target host and presents details of its operating system if there is a match. TCP/IP stack fingerprinting is used to send a series of probes (e.g., TCP and UDP packets) to the specified host and examines the responses.

How do I scan all 65535 ports in Nmap? ›

To instruct Nmap to scan all 65,535 ports on a target, use the (-p-) option in your command. For example, nmap -p- <target> would initiate a scan of all ports on the specified target, providing a comprehensive overview of all potential entry points for services and applications.

See Details ›

Can an Nmap scan be detected? ›

Log monitoring tools such as Logwatch and Swatch can certainly help, but the reality is that system logs are only marginally effective at detecting Nmap activity. Special purpose port scan detectors are a more effective approach to detecting Nmap activity. Two common examples are PortSentry and Scanlogd.

Find Out More ›

Is an angry IP scanner illegal? ›

The license chosen for Angry IP Scanner is the famous GPL (GNU General Public License), which provides the users with as much freedom as possible, while restricts stealing of open-source code for usage in proprietary software.

Tell Me More ›

Can you scan yourself with Nmap? ›

When using Nmap without Npcap, you cannot generally scan your own machine from itself (using a loopback IP such as 127.0.0.1 or any of its registered IP addresses).

Show Me More ›

What is the most common Nmap scan? ›

The most famous type of scan is the Nmap ping scan (so-called because it's often used to perform Nmap ping sweeps), and it's the easiest way to detect hosts on any network.

Explore More ›

Can I use Nmap on my own network? ›

While nmap is generally used to probe business networks and perform security reviews, the tool can also provide interesting details on your systems and devices at home. Nmap, the “network mapper,” has long been used on corporate networks to collect information on desktop systems and servers.

How does Nmap know if a host is up? ›

Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return. This signifies to Nmap that the machine is up and available. Many other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host.

Show Me More ›

What is a stealth scan in Nmap? ›

A TCP SYN scan is a stealth scan used to determine if ports on a target system are open, closed or filtered. Nmap sends a SYN packet to the target and waits for a response. If the target responds with a SYN/ACK packet, the port is considered open and ready to establish a connection.

Read The Full Story ›

What is the fastest port scanner? ›

Masscan is widely known as the fastest port scanner. It has both a command line and a graphical interface, and the default transmission rate is 100 packets per second.

See Details ›

How many ports are scanned in Nmap for a target system? ›

By default, Nmap scans the 1,000 most popular ports of each protocol it is asked to scan. There are many options for specifying an alternate set of ports (by frequency or by listing them explicitly), as described in the section called “Selecting Ports to Scan”.

Get More Info Here ›

How do you specify all ports to be scanned? ›

Ports can also be specified by name according to what the port is referred to in the nmap-services . You can even use the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http* . Be careful about shell expansions and quote the argument to -p if unsure.

How long does it take to scan all ports with Nmap? ›

Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan take more than 18 hours.

Is port scanning illegal in the US? ›

Fundamentally, it is not a crime to conduct a port scan in the United States or the European Union. This means that it isn't criminalized at the state, federal, or local levels. However, the issue of consent can still cause legal problems for unauthorized port scans and vulnerability scans.

View Details ›

Can Nmap be used maliciously? ›

Malicious actors do use tools like Nmap to footprint networks, and these tools are often detectable by intrusion detection/prevention systems.

Is it illegal to scan a website? ›

While web scraping is not inherently illegal, how it is conducted and the data's subsequent use can raise legal and ethical concerns. Actions such as scraping copyrighted content and personal information without consent or engaging in activities that disrupt the normal functioning of a website may be deemed illegal.

Learn More ›

Is directory scanning illegal? ›

It's important to note that website directory scanning should only be performed on websites where you have proper authorization or ownership. Unauthorized scanning can be considered illegal and unethical, as it may violate privacy and security laws.

Discover More Details ›