Very often, penetration testers and system administrators need to scan not a single machine but a range of hosts. Nmap supports IP address ranges in different formats, and it is essential that we know how to deal with them.

This recipe explains how to work with IP address ranges when scanning with Nmap.

1. Open your terminal and enter the following command:

$ nmap <IP address range>  

2. For example, to scan from 192.168.1.0 to 192.168.1.255 use the following command:

$ nmap 192.168.1.0-255  

3. Alternatively, you can use any of the following notations:

$ nmap 192.168.*
$ nmap 192.168.0/24
$ nmap 192.168.1.0 192.168.1.1 192.168.1.2 ... 192.168.1.254 192.168.1.255  

Nmap supports several target formats that allows users to work with IP address ranges. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files, ranges, and we can even generate a list of random targets.

Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:

# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24  

There are several ways that we can handle IP ranges in Nmap:

• Multiple host specification
• Octet range addressing (they also support wildcards)
• CIDR notation

To scan IP addresses 192.168.1.1, 192.168.1.2, and 192.168.1.3, the following command can be used:

$ nmap 192.168.1.1 192.168.1.2 192.168.1.3  

We can also specify octet ranges using -. For example, to scan hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, we could use the expression 192.168.1.1-3, as shown in the following command:

$ nmap 192.168.1.1-3  

Octect range notation also supports wildcards, so we could scan from 192.168.1.0 to 192.168.1.255 with the expression 192.168.1.*:

$ nmap 192.168.1.*

The CIDR notation can also be used when specifying targets. The CIDR notation consists of an IP address and a suffix. The most common network suffixes used are /8, /16, /24, and /32. To scan the 256 hosts in 192.168.1.0-255 using the CIDR notation, the following command can be used:

$ nmap 192.168.1.0/24  

In addition, you may exclude the hosts from the ranges by specifying the parameter the --exclude option, as shown:

$ nmap 192.168.1.1-255 --exclude 192.168.1.1
$ nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2  

Otherwise, you can write your exclusion list in a file and read it with--exclude-file:

$ cat dontscan.txt
   192.168.1.1
   192.168.1.254
$ nmap --exclude-file dontscan.txt 192.168.1.1-255  

The Classless Inter-domain Routing (CIDR) notation (pronounced cider) is a compact method for specifying IP addresses and their routing suffixes. This notation gained popularity due to its granularity when compared with classful addressing because it allows subnet masks of variable length.

The CIDR notation is specified by an IP address and network suffix. The network or IP suffix represent the number of network bits. IPv4 addresses are 32 bit, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24, and /32.

To visualize it, take a look at the following CIDR-to-Netmask conversion table:

For example, 192.168.1.0/24 represents the 256 IP addresses from 192.168.1.0 to 192.168.1.255. And 50.116.1.121/8 represents all the IP addresses between 50.0-255.0-255.0-255. The network suffix /32 is also valid and represents a single IP.