Nmap Target Specification
Nmap is designed to scan a variety of target types, from a single host to large networks. Nmap supports Classless Inter-Domain Routing (CIDR) notation, octet ranges, Domain Name Server (DNS) names, IPv6 addressing, random targets, and exclude lists directly on the command line. You can also use combinations of target specification methods on the same command line. For example, to scan the entire 192.168.1.0 Class C network using CIDR notation, along with selected systems from 192.168.100.0 using octet ranges, and a single host using the DNS name myhost.xyz.com, you could use the following command ( Again this just a simple example):
nmap 192.168.1.0/24 192.168.100.10-25 myhost.xyz.com
You can also specify selected octet ranges using a comma-separated list, for example to scan the following hosts:
- 192.168.5.10
- 192.168.5.20
- 192.168.10.10
- 192.168.10.20
- 192.168.15.10
- 192.168.15.20
- 192.168.16.10
- 192.168.16.20
you would use the command:
nmap 192.168.5,10,15-16.10,20
Another great Nmap feature is the exclude list. If you are interested in scanning your public-facing subnet or demilitarized zone (DMZ), to look for rogue hosts, but you don't want to scan your known Web, DNS, and mail servers, you could use the following command:
nmap -sP --exclude web.xyz.com,dns.xyz.com,mail.xyz.com 192.168.100.0/24
Nmap also supports target specification from an input file and excluded targets from an exclude fi le. The targets must be tab, space, or newline delimited. To perform a software version inventory of your Windows servers use the following command:
nmap -sV -iL windows_servers.txt
The file windows_servers.txt has a list of your known Windows servers from your asset database. A good way to audit a network for rogue hosts is to use an exclude file of known IP addresses from your asset database. For example:
nmap --excludefile asset_database.txt 192.168.0.0/16
Another good input file (or exclude file, depending on your purpose) to use for asset management is your list of currently leased Dynamic Host Configuration Protocol (DHCP) addresses. A less used, but still interesting target specification option is the ability to scan random targets using the -iR command-line option. The option accepts a value for the number of target addresses to generate. For example, to scan 10 random targets for a Hypertext Transfer Protocol Secure (HTTPS) service, use the following command:
nmap -p 443 -iR 10
A value of 0 supplied to the random option produces an infinite scan.
Summarizes the target specification command-line options. As you can see already, Nmap is very flexible at handling input on the command line and from a file. This flexibility offers you a lot of control over the targets that are scanned or not scanned. It also offers the flexibility to use exported host data from other enterprise applications as input to Nmap.
SecurityOwned Nmap Target Specification command-line options
| Option | Description |
|---|---|
| -iR (number of targets) | Specify an input file with a list of tab-,space-, or newline-delimited targets. |
| -iR (number of targets) | Scan a specified number of random targets. |
| --exlude (host1[,host2][,host3],…) | Specify comma-separated targets to not scan |
| --excludefile (filename) | Specify an input file with a list of tab-, space-, or newline-delimited targets to not scan. |
Enjoy this article? Subscribe SecurityOwned!
About SecurityOwned
SecurityOwned is My Personal Documentation about Computer SecuritySECURITYOWNED CATEGORIES
SECURITYOWNED RESOURCE
SECURITYOWNED MEMBER OF :
SECURITYOWNED VALIDATION
![[Valid RSS]](images/valid-rss.png "Validate my RSS feed")