Target Specification
Nmap offers a flexible target specification system supporting single hosts, IP ranges, CIDR notation, hostnames, input files, and exclusions. Properly scoping targets reduces scan time, network noise, and the risk of accidentally scanning out-of-scope systems.
Always confirm target ranges against the approved target list before executing scans. Scanning out-of-scope systems may violate ROE and could have legal or operational consequences.
Specifying Targetsβ
Single Hostβ
nmap 192.168.1.1
nmap hostname.domain.local
- Use Case: Targeted scan of a single known host.
- Why: The simplest form of target specification. Nmap accepts both IP addresses and DNS-resolvable hostnames.
CIDR Notationβ
nmap 192.168.1.0/24
- Use Case: Scanning an entire subnet.
- Why: CIDR notation expands to all hosts in the range, enabling full subnet enumeration in a single command.
IP Rangeβ
nmap 192.168.1.1-50
- Use Case: Scanning a contiguous subset of a subnet without scanning the entire range.
- Why: The hyphen notation defines a start and end IP, reducing scan scope to only what is needed.
Multiple Targetsβ
nmap 192.168.1.1 192.168.1.50 192.168.2.0/24
- Use Case: Scanning non-contiguous hosts or subnets in a single invocation.
- Why: Multiple targets can be listed in a single command separated by spaces β mixing single IPs, ranges, and CIDRs as needed.
Octet Range and Comma Notationβ
nmap 192.168.1,2,3.1
nmap 192.168.[1-5].0/24
- Use Case: Scanning multiple subnets that share a common pattern.
- Why: Nmap supports comma-separated values and ranges in any octet position, enabling powerful shorthand for complex multi-subnet target sets.
Input and Exclusion Filesβ
Scanning from a Target File (-iL)β
nmap -iL /tmp/targets.txt
- Use Case: When the target list has been pre-generated or provided by mission planning.
- Why:
-iLreads targets from a file (one per line), supporting IPs, CIDRs, ranges, and hostnames. Essential for large or complex target sets.
Each line in the input file can contain any target format Nmap supports: single IPs, CIDRs (10.0.0.0/8), ranges (10.0.1-5.0), and hostnames. Blank lines and lines beginning with # are ignored.
Excluding Hosts (--exclude)β
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254
- Use Case: Omitting specific out-of-scope or sensitive hosts from a scan (e.g., default gateways, routers, mission partner systems).
- Why:
--excludeaccepts a comma-separated list of IPs, CIDRs, or ranges, removing them from the target set before scanning begins.
Excluding from a File (--excludefile)β
nmap 192.168.1.0/24 --excludefile /tmp/exclude.txt
- Use Case: When the exclusion list is large or maintained centrally (e.g., a no-strike list at
/etc/exclude.hosts). - Why: Reads exclusions from a file, one entry per line. Supports the same formats as
-iL.
Randomizationβ
Randomize Target Order (--randomize-hosts)β
nmap --randomize-hosts 192.168.1.0/24
- Use Case: Avoiding predictable sequential scan patterns that may trigger rate-based IDS/IPS alerts.
- Why: Randomizing scan order makes sequential detection harder for network defense tools that watch for sweeps against incrementing IP addresses.
Combine with -sL and -oG to produce a randomized, de-duplicated target list for use with other tools or scripts:
nmap -sL --randomize-hosts -iL /tmp/targets.txt --excludefile /etc/exclude.hosts -oG - | grep 'report for' | awk '{print $5}'
IPv6 Targetsβ
IPv6 Scan (-6)β
nmap -6 2001:db8::1
nmap -6 fe80::1%eth0
- Use Case: Scanning hosts accessible only over IPv6, or dual-stack environments where IPv6 may be unmonitored.
- Why: The
-6flag enables IPv6 mode. Many network security tools focus exclusively on IPv4, making IPv6 an undermonitored attack surface worth enumerating.
Standard ping sweeps don't work efficiently for IPv6 due to the vast address space. Use link-local multicast (ff02::1) or rely on -iL with a known target list derived from other sources such as router neighbor tables, DHCPv6 logs, or Zeek conn.log data.