Nmap: Scan IP Ranges

This tutorial explains all Nmap techniques to define IP ranges to scan.

Nmap is the most popular network scan among Linux users and network administrators. It is extremely powerful and flexible, allowing it to scan ports, IP ranges, entire networks, multiple unrelated targets, vulnerabilities, and more.

It is widely used for both network problems diagnosis and security auditing. Managing Nmap is mandatory for server, network administrators, and any user concerned on his network security.

Scanning IP ranges with Nmap (Network Mapper) network scanner is easy thanks to Nmap’s flexibility. Users can scan single targets, whole subnets, partial subnets, file lists with targets, and can even instruct Nmap to generate random targets, or to discover possible targets within a network based on specific conditions or arbitrarily.

All examples given in this document include screenshots, making it easy for all readers to understand how commands are applied.

Previous Example With Single Target

Before starting with IP ranges and multiple targets, users without experience with Nmap can see how attacks against single targets are launched.

The first introductory example shows how to scan a single target (linuxhint.com). Nmap sees any content of the argument which isn’t an option as a target. The following example doesn’t include options, it only calls nmap and defines the target by its domain name, which can be replaced with an IP address.

Or

Nmap reveals ports http and https are open while 996 ports remain filtered by a firewall. Nmap by default scans the 1000 main common ports only.

How to Scan IP Ranges With Nmap

Scanning a range belonging to a Class C network is easy using a hyphen to define the range. My home network is a class C network with IPs 192.168.0.X. The following example shows how to scan a specific range of hosts within my class C network, the range goes from 1 to 30:

Users can define IP ranges by implementing a hyphen between the minimum and maximum ranges (e.g, nmap 10.0.0.1-50).

In the following example, the user scans a C class network (/24) range between IPs 192.168.0.1 and 192.168.0.200.

For users who are not familiar with IP classes, we have added an introduction to them at the end of the practical sections of this document.

The IP range is defined with a hyphen between 1 and 200 in the last octet destined for hosts.

In the previous example, the user scans for available hosts on addresses going from 192.168.0.1 to 192.168.0.200 finding 2 devices within the instructed range. nmap shows their opened ports from the most common 1000 ports.

The user can define IP ranges in all octets, as shown below.

To scan a Class B network specific range, the user can implement the same method adding a hyphen in the last 2 octets. In the following example, the last two octets of the Class B network with IP 186.33.X.X will be scanned. For the third octet, the IP range 200-220, while for the fourth octet the range 80-120 are scanned. Such a scan may take a while to end.

To scan an entire subnet, the user can use the CIDR format as shown below.

Nmap: Scanning Octets Using Wildcards

The examples above show how to scan ranges belonging to subnetworks Class A and B. What if rather than defining a limited range we want to scan the whole octet?

The user can define a range between 1 and 254 but can also use the wildcard (*) to instruct Nmap to check all available addresses within an octet. The following example instructs Nmap to scan all hosts of a Class C network:

Optionally, if the user scans the whole range of an octet, he can define it with a wildcard as shown in the screenshot below.

Wildcards can be used in more than one octet. In the example below, the entire IP ranges of two last octets are scanned.

Hyphens and wildcards can be combined, like in the next example, in which all last octet ranges are scanned for IPs 192.168.0.*, 192.168.1.* and 192.168.2.*.

If the user is trying to discover alive hosts, he can implement a ping sweep scan with Nmap, which will omit the port scanning. This will faster return a result.

Scanning Targets From a Targets List

Nmap allows users to scan targets defined in a list file. The list can include IP ranges and full octet scan.

As the reader can see, the list below includes domain name, IP address, IP ranges, and range combined with wildcard.

The file is named “targets”.

To import the targets from the list, the required Nmap flag is -iL followed by the list file name.

The –exclude argument allows to exclude a target from the list.

In the practical example below, the domain linuxhint.com included in the targets list is omitted.

Scanning Random Targets With Nmap

The option -iR allows the user to instruct nmap to randomly generate targets. The user can decide how many targets Nmap will generate. To scan 50 random targets the syntax is:

The user can replace the number 50 with the number of random hosts he wants Nmap to generate.

Using Hyphens to Define Port Ranges

Hyphens are an important character for Nmap users.

This tutorial is an opportunity to show how hyphens can be implemented also to define port ranges.

In the example below, a hyphen is added to define a port range between 20 and 25.

The next example shows more than one port range can be defined with Nmap.

In the previous section dedicated to IP ranges, it was described how to exclude certain targets from a scan.

The –exclude-ports argument allows to exclude ports, or ports range as shown in the screenshot below.

For examples showing how to scan all ports unconditionally or based on specific conditions, we highly recommend reading Scanning all ports with Nmap.

About IP Classes

IP addresses are 32 bits binary numbers separated by periods in 4 sections of 8 bits each, used to identify networks and hosts. The result of the binary conversion to decimal is the IP format we always see. An example of a decimal IP address would be 172.35.13.76.

When in decimal format, IP addresses consist of 4 numbers ranging from 0 to 255 separated by periods. For example: 240.34.82.213.

Each of those numbers separated by periods are known as octet. In the previous example, 240 is an octet, 34 is another octet, 82 the third octet, and 213 the last one. Each octet consists of 8 bits (32 in total).

Depending on the IP class, some bits or octets are used to identify a network, while the rest are used to identify the hosts in the network.

The quantity of octets belonging to the network and to the host varies and is determined by the type of network or IP class. While there are 5 classes of IP addresses (for the IPV4 protocol only) for this tutorial, I’ll focus only on classes A, B, and C.

All IP addresses with the first octet going from the number 1 to 126 belong to class A. All IP addresses with the first octet going from number 128 to 191 belong to class B and All IP addresses with the first octet going from number 192 to 223 belong to class C.

Range	Class	Octets
1-126	Class A	X.Y.Y.Y
128-191	Class B	X.X.Y.Y
192-223	Class C	X.X.X.Y

Where: X is the network address and Y the host address.

Therefore, if your network starts as 192.X.X.X, you have a Class C IP and only the final octet will vary to identify each device connected to your network. So, if your network is 192.168.0.X, the first 3 octets will remain and only the final octet will be different for each device, one may be 192.168.0.3, other 192.168.0.5, first 3 octets will remain as network identifiers.

Note: For deeper information on this subject, we recommend reading IP Classes Explained.

Conclusion

Nmap is extremely flexible allowing users to play with the syntax for custom scans. Defining targets with Nmap is part of the basic knowledge new Nmap users acquire. There is no need for advanced knowledge, by incorporating knowledge on IP classes and CIDR, users can fully understand this Nmap aspect.

Instructions previously described can be applied on all Linux distributions and even the Zenmap GUI for Nmap. Nmap is also available for Unix, Mac and Windows operating systems. Other good alternatives to Nmap you may want to check are OpenVAS, Nexpose, Nikto and Superscan, which aim to be faster than Nmap, but with a lot less functionalities.