Very often, penetration testers and system administrators need to scan not a single machine but a range of hosts. Nmap supports IP address ranges in different formats, and it is essential that we know how to deal with them.
This recipe explains how to work with IP address ranges when scanning with Nmap.
Open your terminal and enter the following command:
# nmap -A -O 192.168.1.0-255
Alternatively you can use any of the following notations:
# nmap -A -O 192.168.1/24 # nmap -A -O 192.168.1.1 192.168.1.2 ... 192.168.1.254 192.168.1.255
Nmap supports several target formats. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files, ranges, and we can even generate a list of random targets.
Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:
# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
There are three ways that we can handle IP ranges in Nmap:
- Multiple host specification
- Octet range addressing
- CIDR notation
To scan the IP addresses 192.168.1.1, 192.168.1.2, and 192.168.1.3, the following command can be used:
# nmap -p25,80 -O -T4 192.168.1.1 192.168.1.2 192.168.1.3
We can also specify octet ranges by using the character "-". For example, to scan the hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, we could use the expression 192.168.1.1-3 as shown in the following command:
# nmap -p25,80 -O -T4 192.168.1.1-3
The CIDR notation can also be used when specifying targets. The CIDR notation consists of an IP address and a suffix. The most common network suffixes used are /8, /16, /24, and /32. To scan the 256 hosts in 192.168.1.0-255 using the CIDR notation, the following command can be used:
# nmap -p25,80 -O -T4 192.168.1.1/24
Additionally, you may exclude the hosts from the ranges by specifying the parameter the --exclude option as shown:
$ nmap -A -O 192.168.1.1-255 --exclude 192.168.1.1 $ nmap -A -O 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
Or you can write your exclusion list in a file and read it with--exclude-file:
$ cat dontscan.txt 192.168.1.1 192.168.1.254 $ nmap -A -O --exclude-file dontscan.txt 192.168.1.1-255
The Classless Inter Domain Routing (CIDR) notation (pronounced as "cider") is a compact method for specifying IP addresses and their routing suffixes. This notation gained popularity due to its granularity when compared to classful addressing because it allows subnet masks of variable length.
The CIDR notation is specified by an IP address and network suffix. The network or IP suffix represents the number of network bits. IPv4 addresses are 32 bit, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24, and /32.
To visualize it, take a look at the following CIDR-to-Netmask conversion table:
|
CIDR |
Netmask |
|---|---|
|
/8 |
255.0.0.0 |
|
/16 |
255.255.0.0 |
|
/24 |
255.255.255.0 |
|
/32 |
255.255.255.255 |
For example, 192.168.1.0/24 represents the 256 IP addresses from 192.168.1.0 to 192.168.1.255. And 50.116.1.121/8 represents all the IP addresses between 50.0-255.0-255.0-255. The network suffix /32 is also valid and represents a single IP.
Running nmap <TARGET> as a privileged user launches a SYN Stealth Scan. For unprivileged accounts that can't create raw packets, a TCP Connect Scan is used.
The difference between these two is that a TCP Connect Scan uses the high-level system call connect to obtain information about the port state. This means that each TCP connection is fully completed, and therefore is slower and more likely to be detected and recorded in system logs. SYN Stealth Scans use raw packets to send specially-crafted TCP packets to detect port states that are more reliable.
Nmap categorizes ports by using the following states:
- Open: This state indicates that an application is listening for connections on this port.
- Closed: This state indicates that the probes were received but there is no application listening on this port.
- Filtered: This state indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
- Unfiltered: This state indicates that the probes were received but a state could not be established.
- Open/Filtered: This state indicates that Nmap cannot establish the state if the port is filtered or open.
- Closed/Filtered: This state indicates that Nmap cannot establish the state if the port is filtered or closed.
- The Reading targets from a text file recipe
- The Scanning random targets recipe
- The Skipping tests to speed up long scans recipe
- The Selecting the correct timing template recipe
- The Listing open ports of a remote host recipe in Chapter 1, Nmap Fundamentals
- The Scanning using specific port ranges recipe in Chapter 1, Nmap Fundamentals
- The Distributing a scan among several clients by using Dnmap recipe