Day19-Scanning-Multiple-Targets-and-Ranges

Day 19 - Scanning Multiple Targets and Ranges

Day Overview

Welcome to Day 19! Today you will learn how to scan multiple targets and ranges in a safe, beginner-friendly, and repeatable way. This lesson builds on the previous two days:

Day 17: Output formats and parsing (grepable and XML)
Day 18: Automation with shell scripts
Day 19: Multi-target and range scanning for real networks

Learning Objectives

By completing Day 19, you will be able to:

Scan multiple hosts in one command
Use CIDR ranges, hyphen ranges, and target lists
Exclude sensitive hosts and reduce scope errors
Control scan speed and order for large ranges
Combine multi-target scans with output parsing and automation

Before You Start

Prerequisites

Nmap installed and working
You have permission to scan the target network
You understand basic scanning options from Days 1-18

Quick Safety Reminder

Only scan systems you own or have explicit authorization to test. Large scans can affect performance, so start small and go slow.

How Multi-Target Scanning Works

Nmap accepts many target formats in a single command:

Single IP: 192.168.1.10
Multiple IPs: 192.168.1.10 192.168.1.11
CIDR ranges: 192.168.1.0/24
Hyphen ranges: 192.168.1.10-50
DNS names: server1.example.com
Target lists: -iL targets.txt

Day 17 Recap: Why Output Formats Matter

When scanning many targets, you must save structured output for review and automation. The most useful formats:

Normal: human readable
Grepable (-oG): quick parsing for scripts
XML (-oX): structured data for tooling
All formats (-oA): best practice for automation

Example:

nmap -sV -oA outputs/multi-scan 192.168.1.0/24

Day 18 Recap: Why Automation Helps

Multi-target scans are repetitive. Automating them reduces mistakes. A simple script can:

Read targets from a file
Run consistent scan options
Store outputs in dated folders
Parse results automatically

Day 19 Core Skill: Multi-Target Scanning

Below are the most common ways to scan multiple targets.

1. Scan Multiple IPs in One Command

nmap -sV 192.168.1.10 192.168.1.11 192.168.1.12

Use this for a small number of known hosts.

2. Scan a Hyphen Range

nmap -sV 192.168.1.10-50

This scans 41 hosts from 10 to 50.

3. Scan a CIDR Range

nmap -sV 192.168.1.0/24

A /24 includes 256 IPs (0-255).

4. Scan Multiple Ranges Together

nmap -sV 192.168.1.0/24 192.168.2.0/24

This is useful for separate subnets.

5. Scan Using a Target List

Create targets.txt with one host per line:

192.168.1.10
192.168.1.20
server1.example.com

Run:

nmap -sV -iL targets.txt

Excluding Targets Safely

Exclude sensitive or out-of-scope systems:

nmap -sV 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.10

Use an exclude file for larger lists:

nmap -sV 192.168.1.0/24 --excludefile exclude.txt

Listing Targets Without Scanning

To verify scope before scanning:

nmap -sL 192.168.1.0/29

This prints the target list but does not send packets.

Discover Live Hosts First

If you have a large range, find live hosts first:

nmap -sn 192.168.1.0/24 -oA outputs/ping-sweep

Then scan only live hosts:

awk '/Up$/{print $2}' outputs/ping-sweep.gnmap > outputs/alive.txt
nmap -sV -iL outputs/alive.txt -oA outputs/service-scan

Ordering and Randomization

Large scans can trigger alerts if done in order. Use randomization to reduce patterns:

nmap -sV 192.168.1.0/24 --randomize-hosts

Controlling Scan Speed

Large ranges need careful speed control.

nmap -sV 192.168.1.0/24 -T3 --max-rate 100

Slow down if the network is sensitive.

Combining Targets and Ports

Scan common ports across many hosts:

nmap -p 22,80,443 192.168.1.0/24

Fast scan for a quick check:

nmap -F 192.168.1.0/24

Output Management for Multi-Target Scans

Always use -oA to keep results organized:

nmap -sV -oA outputs/multi-20260206 192.168.1.0/24

Create date-based folders for weekly scans:

RUN_DIR="outputs/$(date +%Y%m%d)"
mkdir -p "$RUN_DIR"
nmap -sV -oA "$RUN_DIR/weekly" 192.168.1.0/24

Parsing Results (Day 17 Skills Applied)

Extract hosts with open ports:

grep "/open/" outputs/multi-20260206.gnmap

Count open ports per host:

awk '/open/{print $2}' outputs/multi-20260206.gnmap | sort | uniq -c

Generate a diff between two scans:

ndiff outputs/scan-old.xml outputs/scan-new.xml > outputs/diff.txt

Automation Example (Day 18 Skills Applied)

A simple script that reads targets and saves output:

#!/usr/bin/env bash
set -euo pipefail
TARGET_FILE="${1:-targets.txt}"
RUN_DIR="outputs/$(date +%Y%m%d-%H%M%S)"
mkdir -p "$RUN_DIR"
nmap -sV -iL "$TARGET_FILE" -oA "$RUN_DIR/multi"

Common Mistakes and How to Avoid Them

Forgetting -iL when using a target file
Scanning the wrong subnet due to a typo
Not excluding out-of-scope IPs
Running a full port scan on a very large range too quickly

Mini Glossary

CIDR: A way to define IP ranges (example: /24)
Target list: A file with one host per line
Exclude list: Hosts you do not want to scan
Ping sweep: A discovery scan for live hosts

Step-by-Step Lab: Small Office Network

This lab shows how to scan a small /29 range (8 IPs).

Step 1: List Targets

nmap -sL 192.168.1.0/29

Step 2: Find Live Hosts

nmap -sn 192.168.1.0/29 -oA outputs/lab-ping

Step 3: Scan Live Hosts

awk '/Up$/{print $2}' outputs/lab-ping.gnmap > outputs/lab-alive.txt
nmap -sV -iL outputs/lab-alive.txt -oA outputs/lab-services

Step 4: Review Results

grep "/open/" outputs/lab-services.gnmap

Large Range Strategy

When scanning a /16 or bigger, reduce scope risk:

Confirm authorization for each subnet
Run discovery first
Scan only live hosts
Use safe timing options

Targeting with DNS Names

You can mix IPs and DNS names:

nmap -sV server1.example.com 10.0.0.5 10.0.0.10

Be aware of DNS resolution delays for large lists.

Controlling DNS Resolution

Disable DNS to speed up scanning:

nmap -n 192.168.1.0/24

Enable reverse DNS if needed:

nmap -R 192.168.1.0/24

Selecting Port Ranges

Common options:

-F for top 100 ports
--top-ports 1000 for top 1000
-p 1-1000 for a defined range
-p- for all 65535 ports (slow)

Example: Balanced Multi-Target Scan

nmap -sV -T3 --max-rate 200 --top-ports 100 192.168.1.0/24 -oA outputs/balanced

Example: Quick Audit for Web Servers

nmap -p 80,443,8080,8443 -sV --script http-title 192.168.1.0/24 -oA outputs/web-audit

Example: Inventory Scan with OS Detection

sudo nmap -O -sV 192.168.1.0/24 -oA outputs/inventory

Use only when you have permission and know it is safe.

Handling Mixed Target Types

You can mix ranges and files:

nmap -sV 192.168.1.0/24 -iL targets.txt -oA outputs/mixed

Nmap will scan the union of all targets.

Using `--exclude` with Mixed Targets

nmap -sV 192.168.1.0/24 -iL targets.txt --exclude 192.168.1.1,192.168.1.2

Using `--excludefile` with Mixed Targets

nmap -sV 192.168.1.0/24 -iL targets.txt --excludefile exclude.txt

Performance Tips for Beginners

Start with -sn for discovery
Use -T2 or -T3 to avoid network stress
Avoid -p- on large ranges at first
Use -n to avoid DNS delays

Ethics and Compliance

Always confirm authorization
Stay inside defined scope
Document what you scanned and when
Share results responsibly

Beginner-Friendly Checklists

Pre-Scan Checklist

I have written permission to scan
I confirmed the target range
I know which ports I will scan
I created an output folder
I will start with a discovery scan

Post-Scan Checklist

I saved output files
I reviewed open ports
I documented unusual services
I stored results in the correct folder
I cleaned up temporary lists

Extended Practice Section

Below are many small drills. They repeat the same patterns so you can build muscle memory. Use your lab environment and adjust IPs as needed.