NMAP Target Specification

----------------------------------


In this article I’ll show you some ways to specify hostnames for your nmap scans. Basically you have the following options:

option description
-iL <filename> Specify hosts from a list/file
-iR <number> Choose random targets
--exclude <host1[,host2][,host3],...> Exclude hosts/networks
--excludefile <exclude_file> Specify hosts to exclude from a file

So let’s take a look at each of them here:

Default

Usage: nmap <hostname>
The default option to set a target. This includes hostnames, IP’s, subnets, etc:

  • nmap scanme.nmap.org
  • nmap 127.093.43.65
  • nmap 153.45.34.12/24
  • nmap scanme.nmap.org*all

-iL

Usage: nmap -iL <filename>

Pass a file with your target hosts to nmap. You can specify the hosts like you would normally (see default options). Separate each host by a line. The input file may contain comments that start with # and extend to the end of the line.

Also, if you want to use stdin as inputfile you can do it with -:
cat filename | nmap -iL -
somecommand | nmap -iL -

This will scan the targets in the order you specify them in the file.

Example file (targets):

Scan Result:



-iR

This option scans for a random IP in the internet.
Usage: nmap -iR [number]

This option is more for bored out afternoons and other research. You can of course combine this with other options like -p 80 to scan only the webhost/http port or -p 20[ish] to look for open ssh ports in the net. But you can also use shodan for this purpose.

The [number] is an int that represents the amount of hosts to scan. However I’m not exactly sure what happens if you enter 0… I think it might loop infinitely.

USE THIS AT YOUR OWN RISK

–exclude/ –excludefile

Exclude Hosts from your scan.
Usage: nmap --exclude [list of hosts]/nmap --excludefile <file>

Use this if you want to avoid scanning hosts in a network range. You can do this with a comma-separated list in the command line:
nmap --exclude host1, google.com, host3

Or with a file, like with the -iL option (or stdin).

Can be usefull for your random -iR scans, if you want to avoid some hosts. Or maybe you need to scan an entire network except the gateway. Then you can add it to the excluded hosts.

This guide is based on the oficial man page of nmap. So make sure to read there, if you need more help.

More about networking