The nmap command interprets any content appended without an associated switch as a target. The following is a basic syntax that specifies an IP address or a hostname to scan without any associated switches:

nmap 127.0.0.1 
nmap localhost

The hostname is resolved with the configured DNS server and the IP address is obtained to perform the scan. If multiple IP address are associated with one hostname, the first IP address will be scanned and the result will be displayed. The following syntax allows nmap to perform scans on all the IP addresses resolved with the hostname provided in the command:

nmap xyz.com*

Nmap also supports scanning the whole subnet, provided that you append the mask at the end of an IP address or hostname. Then, Nmap will consider all the resolved IP addresses in the range of the mask mentioned. For example, 10.0.0.1/24 would scan the 256 hosts between 10.0.0.1 and 10.0.0.255, including .1, and .255. 10.0.0.21/24 would scan exactly the same targets.

Nmap also allows you to resolve an entire subnet and then exclude certain hosts from scanning. For example, the following syntax allows you to scan all the hosts resolved for 10.0.0.1/24 except any IP addresses whose last network bits are .1 or .255:

nmap 10.0.0.2-254

This can be used in any of the four network bits, such as 10.0.1-254.1-254, which will allow you to skip IP addresses  10.0.0.0 , 10.0.0.255,  10.0.255.0, and 10.0.255.255. Nmap also supports fully qualified IPv6 addresses, but not octet range. For an IPv6 address with non-global scope, the zone suffix ID needs to be mentioned.

Nmap supports various input formats for a user to specify the targets. The following are the switches that can be used to mention the hosts on the specified format:

nmap –iL <inputfilename>

This will allow the user to create a text file with a list of all the IP addresses/range to be scanned. This is a feasible option when you have many IP addresses to be scanned. For example, if you want to scan all the IP addresses from different subnets for a medium-scale organization with more than 10,000 assets, it is not feasible to enter these IP addresses on the command line. Instead, create a text file with a list of all the IP addresses to be scanned and mention the filename with the absolute path after -iL. Nmap then fetches the list of IP addresses from the file and performs the scan:

nmap -iR <num hosts> 

For large organizations and internet-based scans, you may want to scan random targets or identify unknown targets. The –iR switch with the appended number of random hosts to be identified for scans will allow the user to perform these operations. For example, if you are trying to identify eight random hosts with the ftp port open, the following syntax can be used:

nmap –sS –Pn –p 21 –iR 8 --open

The following syntax will help you to exclude servers when your input is a range of servers, a subnet, or a pre-existing large list of servers. The hosts mentioned along with this switch are omitted from scanning, thereby preventing the servers from being hit with any unwanted traffic:

nmap --exclude <host1>[,<host2>[,...]]

The following command works similarly to the preceding syntax, except that the host exclusion list is fetched from a file instead of manually mentioning the server list. This is feasible when the list of hosts to be excluded from the scan is long:

nmap --excludefile <exclude_file>