Nmap supports several target formats that allows users to work with IP address ranges. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files, ranges, and we can even generate a list of random targets.
Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:
# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
There are several ways that we can handle IP ranges in Nmap:
- Multiple host specification
- Octet range addressing (they also support wildcards)
- CIDR notation
To scan IP addresses 192.168.1.1, 192.168.1.2, and 192.168.1.3, the following command can be used:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
We can also specify octet ranges using -. For example, to scan hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, we could use the expression 192.168.1.1-3, as shown in the following command:
$ nmap 192.168.1.1-3
Octect range notation also supports wildcards, so we could scan from 192.168.1.0 to 192.168.1.255 with the expression 192.168.1.*:
$ nmap 192.168.1.*
The CIDR notation can also be used when specifying targets. The CIDR notation consists of an IP address and a suffix. The most common network suffixes used are /8, /16, /24, and /32. To scan the 256 hosts in 192.168.1.0-255 using the CIDR notation, the following command can be used:
$ nmap 192.168.1.0/24