Nmap Target Selection
Learn how to effectively specify targets for Nmap scans using various methods and notations
Effective target selection is crucial for successful network scanning. Nmap provides multiple methods for specifying targets, from simple hostnames to complex network ranges. This guide covers all the target specification options available in Nmap.
Basic Target Specification
Hostname
nmap example.com
Scans the host specified by the domain name.
IP Address
nmap 192.168.1.1
Scans the host with the specified IP address.
IPv6 Address
nmap -6 2001:db8::1
Scans the IPv6 host (requires -6 flag).
Advanced Target Specification
Input from File (-iL)
You can specify targets in a text file, with one target per line:
Example file (targets.txt):
192.168.1.1
192.168.1.2
example.com
10.0.0.0/24
Command:
nmap -iL targets.txt
This is useful for:
- Scanning large numbers of targets
- Automating scans with pre-defined target lists
- Integrating with other tools that generate target lists
Random Target Selection (-iR)
Nmap can randomly select targets from the entire IPv4 address space:
nmap -iR 10
This command randomly selects and scans 10 IP addresses from the Internet.
Note: This should be used with caution as scanning random Internet hosts may:
- Violate laws or policies in some jurisdictions
- Trigger alerts from intrusion detection systems
- Result in complaints to your ISP
Excluding Targets (--exclude, --excludefile)
You can exclude specific hosts or networks from your scan:
Exclude specific hosts:
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.10
Exclude from file:
nmap 192.168.1.0/24 --excludefile exclude.txt
This is useful when:
- Certain hosts should not be scanned (e.g., critical infrastructure)
- You want to avoid triggering specific security systems
- You need to respect scope boundaries in penetration tests
Target Specification Techniques
Using DNS Names and Wildcards
Nmap supports DNS names and limited wildcard usage:
# Scan a specific subdomain
nmap server1.example.com
# Scan multiple subdomains
nmap server1.example.com server2.example.com
Combining Different Notations
You can combine different target specification methods in a single command:
nmap 192.168.1.1-100 10.0.0.0/24 example.com
This scans:
- IP addresses from 192.168.1.1 to 192.168.1.100
- All 256 IP addresses in the 10.0.0.0/24 subnet
- The host specified by the domain name example.com
Scan Order
By default, Nmap scans targets in a random order to distribute the load. You can change this behavior:
# Scan in sequential order
nmap --randomize-hosts 192.168.1.0/24
# Scan in sequential order
nmap --scan-delay 500ms 192.168.1.0/24
Best Practices for Target Selection
- Be Precise: Specify only the targets you need to scan to minimize network impact
- Use CIDR Notation: For subnets, CIDR notation is more concise than listing individual IPs
- Consider Using Files: For large scans, use input files to manage target lists
- Exclude Sensitive Systems: Always exclude critical systems that might be negatively affected
- Verify Target Lists: Use the list scan (
-sL) to verify your target selection before running full scans
Practical Examples
Scan an entire corporate subnet:
nmap -sn 192.168.0.0/16
Scan multiple office networks:
nmap 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24
Scan all servers in a DMZ:
nmap 203.0.113.0/24 --exclude 203.0.113.10,203.0.113.11
Next Steps
Now that you understand how to effectively select targets for your Nmap scans, you can explore:
- Advanced Techniques - Learn about service detection, OS fingerprinting, and the Nmap Scripting Engine
- Practical Applications - Discover real-world applications of Nmap in network security