In this article I’ll show you some ways to specify hostnames for your nmap scans. Basically you have the following options:
||Specify hosts from a list/file|
||Choose random targets|
||Specify hosts to exclude from a file|
So let’s take a look at each of them here:
The default option to set a target. This includes hostnames, IP’s, subnets, etc:
- nmap scanme.nmap.org
- nmap 127.093.43.65
- nmap 220.127.116.11/24
- nmap scanme.nmap.org*all
nmap -iL <filename>
Pass a file with your target hosts to nmap. You can specify the hosts like you would normally (see default options). Separate each host by a line. The input file may contain comments that start with # and extend to the end of the line.
Also, if you want to use stdin as inputfile you can do it with
cat filename | nmap -iL -
somecommand | nmap -iL -
This will scan the targets in the order you specify them in the file.
Example file (targets):
This option scans for a random IP in the internet.
nmap -iR [number]
This option is more for bored out afternoons and other research. You can of course combine this with other options like
-p 80 to scan only the webhost/http port or
-p 20[ish] to look for open ssh ports in the net. But you can also use shodan for this purpose.
[number] is an int that represents the amount of hosts to scan. However I’m not exactly sure what happens if you enter 0… I think it might loop infinitely.
USE THIS AT YOUR OWN RISK
Exclude Hosts from your scan.
nmap --exclude [list of hosts]/
nmap --excludefile <file>
Use this if you want to avoid scanning hosts in a network range. You can do this with a comma-separated list in the command line:
nmap --exclude host1, google.com, host3
Or with a file, like with the
-iL option (or stdin).
Can be usefull for your random
-iR scans, if you want to avoid some hosts. Or maybe you need to scan an entire network except the gateway. Then you can add it to the excluded hosts.
This guide is based on the oficial man page of nmap. So make sure to read there, if you need more help.