Home page logo

Nmap Announce mailing list archives

Re: Scanning subnets w/CIDR
From: Jeffrey Paul <sneak () datavibe net>
Date: Tue, 14 Mar 2000 23:39:19 -0500

Of course, nmap supports other types of range definitons too...... for instance

to quote the manpage directly:

Everything that isn't an option (or option argument) in nmap is treated as
a  target  host  specification.   The  simplest  case  is  listing  single
hostnames or IP addresses on the command line.  If you want to scan a sub-
net of IP addresses, you can append '/mask' to the hostname or IP address.
mask must be between 0 (scan the whole internet) and 32 (scan  the  single
host  specified).  Use /24 to scan a class 'C' address and /16 for a class

Nmap also has a more powerful  notation  which  lets  you  specify  an  IP
address  using lists/ranges for each element.  Thus you can scan the whole
class   'B'   network   128.210.*.*   by   specifying   '128.210.*.*'   or
'128.210.0-255.0-255' or even '128.210.1-50,51-255.1,2,3,4,5-255'.  And of
course you can use the mask notation:  ''.   These  are  all
equivalent.  If you use astericts ('*'), remember that most shells require
you to escape them with back slashes or protect them with quotes.

Another interesting thing to do is  slice  the  Internet  the  other  way.
Instead of scanning all the hosts in a class 'B', scan '*.*.5.6-7' to scan
every IP address that ends in .5.6 or .5.7  Pick your  own  numbers.


I believe using this kind of address flexibility will deal with almost any kind of scan you would want to do.... and if not, you can always hack up a teeny script to generate what you need, put the ips in a file and use

nmap <options> -iL -

to read lists of hosts/ips to scan from stdin.....


On Tue, 7 Mar 2000, Mark E. Drummond wrote:

 I have a class B net, chopped up into variously sized subnets. Can the "/##"
 an address spec be any sized mask? /22 ? /20 ?

   I've been scanning variably sized subnets w/o any trouble (except when
   I forget and scan the wrong subnet).  /18 /20, etc. is no problem.

 Also, I noticed that nmap will scan the net address and broadcast address
 themselves. Should it not be coded to not scan these? Or perhaps a more
 flexible language for specifying address such as "x.x.x.x/xx EXCEPT x.x.x.x
 ..." ?

   I'd think that you'd be better having it not scan the net & broadcast
   for the specified net mask with an override switch to force the other
   behavior.  It gets the functionality you suggest w/o changing any of
   the language/grammar ... or minimally so.


For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


sneak () datavibe net        -             0xCD91A427
9907 3747 3CE9 11C5 2B1C  F141 D09F 488C CD91 A427
Note: key id 0x299450B6 is lost and inactive.
Copyright 2000 Jeffrey Paul.
The information contained in this message may be
privileged and confidential and protected from
disclosure.  If the reader of this message is not
the intended recipient, or an employee or agent
responsible for delivering this message to the
intended recipient, you are hereby notified that
any dissemination, distribution or copying of this
communication is strictly prohibited.  Thank you.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]