CHAPTER 5: HOST AND PORT OPTIONS
Nmap includes many options related to the IP addresses and port numbers that will be used during the scan. These option parameters range from excluding particular IP addresses from the scan to creating fake decoys that traverse the network! With these many host and port options, nmap can be customized to create the perfect scanning environment.
Exclude Targets (--exclude <host1 [,host2] [,host3]...>)
The –-exclude option provides nmap with a list of IP addresses that will be avoided when performing a scan.
This is useful for performing a scan on a subnet of devices while avoiding the scanning of routers or production servers. For example, the command:
nmap –sS 192.168.0.1/24 –-exclude 192.168.0.2-4, 192.168.0.77will run nmap's TCP SYN scan (-sS) to the range of IP addresses at 192.168.0.0 through 192.168.0.255 (192.168.0.1/24), while excluding the devices at 192.168.0.2, 192.168.0.3, 192.168.0.4, and 192.168.0.77.
The list of IP addresses associated with the –-exclude option should be separated by commas. The excluded hosts can be identified with wildcards, subnet values, or any other standard nmap reference. Refer to the "Nmap Target Specifications" section for more information on IP address specifications.
The –-exclude option cannot be used in conjunction with the --excludefile option. It's one or the other, but not both.
The nmap 3.81 man page shows a quotation symbol (") at the end of the hostname elements description. Quotation marks are usually used in pairs on the command line to prevent special character interpretation, but this isn't the case with the –-exclude option. These quotation marks are probably an unintended typographical error.
Exclude Targets in File (--excludefile <exclude_file>)
The --excludefile option is similar to the –-exclude option, except the addresses to be excluded are listed in a file. The target address exclusions should be listed with one address per line, and the exclusion lines cannot be separated with spaces or tabs. Unlike the "read targets from file" option (-iL), the --excludefile option will only accept one exclusion parameter per line.
Multiple IP addresses can be defined on each line using nmap's host specification parameters. For example, the following IP address specification will exclude all hosts between 192.168.0.1 and 192.168.0.7, 192.168.0.10, and all hosts between 192.168.1.0 and 192.168.1.255.
192.168.0.1-7 192.168.0.10 192.168.1.*
The exclusion file can include IP addresses that aren't necessarily part of the current scan. Therefore, a single exclude file could be used for all nmap scans regardless of the IP addresses on the nmap command line. If there are certain systems that should never be scanned (DNS servers, file servers, telephone switches, etc.), they can be added to a 'permanent' exclude file that can be used for all nmap scans.
The –-excludefile option cannot be used on the same nmap command line as the --exclude option. Only one of these options can provide the primary exclusion list for the nmap scan.
The –iL option reads target IP address from a specified filename. If the target addresses are piped into nmap from another process, the single hypen (-) can be used to specify the standard input (stdin) instead of a filename.
Because of the flexibility required to receive input from another process, the –iL option is more adaptable than nmap's exclusion options. Included addresses can be separated by tabs, spaces, or by separate lines.
When this option is used, the filename is the only valid input. If any additional host addresses are included on the command line, they will be ignored without any warning message.
If the host exclusion options (--exclude or --excludefile) are used in conjunction with the –iL option, the excluded addresses will override any inclusions on the command line or file.
Pick Random Numbers for Targets (-iR <num hosts>)
This option chooses completely random destination addresses as the nmap scan input. These random values do not consider any of the filename options for including or excluding host addresses (-iL and –-excludefile, respectively), and the –-exclude option is also ignored. If a series of target addresses needs to be randomly scanned, the --randomize_hosts option should be used in conjunction with a series of include and exclude options instead of using the –iR option.
The –iR option requires a quantity of random IP addresses that will be used for this nmap scan. If a quantity of hosts is not specified, the nmap scan aborts with this message:
ERROR: -iR argument must be the maximum number of random IPs you wish to scan (use 0 for unlimited) QUITTING!As this message shows, specifying zero (0) hosts will run an unlimited number of random addresses through the nmap scan. The nmap man page has a good example of using this feature to find a random web server:
# nmap –sS –PS80 –iR 0 –p 80This example runs a TCP SYN scan (-sS) using a SYN ping on port 80 (-PS80) to an unlimited number of random IP addresses (-iR 0). The SYN scan only scans port 80 (-p 80).
This scan won't begin to report any results until 500 hosts are identified. The –-debug or --packet_trace options can be used to watch nmap working, but take care not to miss the IP address listing when nmap hits the 500 mark! It may be helpful to run this type of scan in conjunction with one of nmap's logging options.
Randomize Hosts (--randomize_hosts, -rH)
The –-randomize_hosts option rearranges the group of hosts in an nmap scan. Groups of 2,048 hosts at a time are randomly chosen, making the entire scan less conspicuous when examining traffic patterns.
The –rH abbreviation is an undocumented alias for the –-randomize_hosts option.