Nmap supports a very interesting feature that allows us to run scans against random targets on the Internet. This is very useful when conducting research that needs a sample of random hosts.
This recipe shows you how to generate random hosts as targets of your Nmap scans.
To generate a random target list of 100 hosts, use the following Nmap command:
$ nmap -iR 100
Nmap will generate a list of 100 external IP addresses and scan them using the specified options. Let's combine this option with a ping scan:
$ nmap -sP -iR 3 Nmap scan report for host86-190-227-45.wlms-broadband.com (86.190.227.45) Host is up (0.000072s latency). Nmap scan report for 126.182.245.207 Host is up (0.00023s latency). Nmap scan report for 158.sub-75-225-31.myvzw.com (75.225.31.158) Host is up (0.00017s latency). Nmap done: 3 IP addresses (3 hosts up) scanned in 0.78 seconds
The argument -iR 100 tells Nmap to generate 100 external IP addresses and use them as targets in the specified scan. This target assignment can be used with any combination of scan flags.
While this is a useful feature for conducting Internet research, I recommend you be careful with this flag. Nmap does not have control over the external IP addresses it generates; this means that inside the generated list could be a critical machine that is being heavily monitored. To avoid getting into trouble, use this feature wisely.
To tell Nmap to generate an unlimited number of IPs and hence run indefinitely, set the argument -iR to 0 using the following command:
$ nmap -iR 0
For example, to find random NFS shares online, you could use the following command:
$ nmap -p2049 --open -iR 0
Port scanning without permission is not very welcome, and is even illegal in some countries. I recommend you research your local laws to find out what you are permitted to do and if port scanning is frowned upon in your country. You also need to consult with your ISP as they may have their own rules on the subject.
The official documentation of Nmap has an amazing write-up about the legal issues involved with port scanning, available at http://nmap.org/book/legal-issues.html. I recommend that everyone reads it.
The argument --script-args=newtargets forces Nmap to use these new-found hosts as targets:
# nmap --script broadcast-ping --script-args newtargets Pre-scan script results: | broadcast-ping: | IP: 192.168.1.105 MAC: 08:00:27:16:4f:71 |_ IP: 192.168.1.106 MAC: 40:25:c2:3f:c7:24 Nmap scan report for 192.168.1.105 Host is up (0.00022s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 08:00:27:16:4F:71 (Cadmus Computer Systems) Nmap scan report for 192.168.1.106 Host is up (0.49s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 40:25:C2:3F:C7:24 (Intel Corporate) Nmap done: 2 IP addresses (2 hosts up) scanned in 7.25 seconds
Note how we did not specify a target, but the newtargets argument added the IPs 192.168.1.106 and 192.168.1.105 to the scanning queue anyway.
The argument max-newtargets sets the maximum number of hosts to be allowed to be added to the scanning queue:
# nmap --script broadcast-ping --script-args max-newtargets=3
- The Scanning an IP address range recipe
- The Geo-locating an IP address recipe in Chapter 3, Gathering Additional Host Information
- The Getting information from WHOIS records recipe in Chapter 3, Gathering Additional Host Information
- The Reading targets from a text file recipe
- The Skipping tests to speed up long scans recipe
- The Reporting vulnerability checks recipe in Chapter 8, Generating Scan Reports
- The Collecting signatures of web servers recipe
- The Distributing a scan among several clients by using Dnmap recipe