Nmap Security Scanner
Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors
|

 |
Intro |
Reference Guide |
Book |
Install Guide |
Download |
Changelog |
Zenmap GUI |
Docs |
Bug Reports |
OS Detection |
Propaganda |
Related Projects |
In the Movies |
In the News |
|
 |
Everything on the Nmap command-line that isn't an option (or
option argument) is treated as a target host specification. The
simplest case is to specify a target IP address or hostname for scanning. Sometimes you wish to scan a whole network of adjacent hosts.
For this, Nmap supports CIDR-style addressing. You can append
/numbits to an IP address or hostname and
Nmap will scan every IP address for which the first
numbits are the same as for the reference
IP or hostname given. For example, 192.168.10.0/24 would scan the 256
hosts between 192.168.10.0 (binary: 11000000 10101000
00001010 00000000 ) and 192.168.10.255 (binary: 11000000 10101000
00001010 11111111 ), inclusive.
192.168.10.40/24 would do exactly the same thing. Given that the host
scanme.nmap.org is at the IP address 205.217.153.62, the specification
scanme.nmap.org/16 would scan the 65,536 IP addresses between
205.217.0.0 and 205.217.255.255. The smallest allowed value is /1,
which scans half the Internet. The largest value is 32, which scans
just the named host or IP address because all address bits are fixed. CIDR notation is short but not always flexible enough. For example, you
might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
.255 because they are commonly broadcast addresses. Nmap supports
this through octet range addressing. Rather than specify a normal IP
address, you can specify a comma separated list of numbers or ranges
for each octet. For example, 192.168.0-255.1-254 will skip all
addresses in the range that end in .0 and or .255. Ranges need not be
limited to the final octets: the specifier
0-255.0-255.13.37 will perform an Internet-wide scan for all IP
addresses ending in 13.37. This sort of broad sampling can be useful
for Internet surveys and research. IPv6 addresses can only be specified by their fully qualified IPv6
address or hostname. CIDR and octet ranges aren't supported for
IPv6 because they are rarely useful. Nmap accepts multiple host specifications on the command line,
and they don't need to be the same type. The command nmap
scanme.nmap.org 192.168.0.0/16 10.0.0,1,3-7.0-255 does what
you would expect. While targets are usually specified on the command lines, the following options are also available to control target selection: -
-iL <inputfilename> (Input from list)
Reads target specifications from
inputfilename . Passing a huge
list of hosts is often awkward on the command line, yet it
is a common desire. For example, your DHCP server might
export a list of 10,000 current leases that you wish to
scan. Or maybe you want to scan all IP addresses
except for those to locate hosts using
unauthorized static IP addresses. Simply generate the list
of hosts to scan and pass that filename to Nmap as an
argument to the -iL option. Entries can be
in any of the formats accepted by Nmap on the command line
(IP address, hostname, CIDR, IPv6, or octet ranges). Each
entry must be separated by one or more spaces, tabs, or
newlines. You can specify a hyphen (- )
as the filename if you want Nmap to read hosts from standard
input rather than an actual file. -
-iR <num hosts> (Choose random targets)
For Internet-wide surveys
and other research, you may want to choose targets at
random. The num hosts argument
tells Nmap how many IPs to generate. Undesirable IPs such
as those in certain private, multicast, or unallocated
address ranges are automatically skipped. The argument 0
can be specified for a never-ending scan. Keep in mind that
some network administrators bristle at unauthorized scans of
their networks and may complain. Use this option at your
own risk! If you find yourself really bored one rainy
afternoon, try the command nmap -sS -PS80 -iR 0 -p
80 to locate random web servers for
browsing. -
--exclude
<host1[,host2][,host3],...> (Exclude hosts/networks)
Specifies a comma-separated list of targets to be
excluded from the scan even if they are part of the overall
network range you specify. The list you pass in uses normal
Nmap syntax, so it can include hostnames, CIDR netblocks,
octet ranges, etc. This can be useful when the network you
wish to scan includes untouchable mission-critical servers,
systems that are known to react adversely to port scans,
or subnetworks administered by other people. -
--excludefile <exclude_file> (Exclude list from file)
This offers the same functionality as the --exclude
option, except that the excluded targets are provided in a
newline, space, or tab delimited
exclude_file rather than on the
command line.
|
|