Nmap’s CIDR scanning isn’t just a shortcut; it’s a fundamental shift in how you think about network enumeration, allowing you to treat entire IP ranges as single, cohesive entities rather than a collection of individual hosts.
Let’s see what this looks like in practice. Imagine you need to scan a small, local subnet, say 192.168.1.0/24. You could manually list out every IP: nmap 192.168.1.1 192.168.1.2 192.168.1.3 ... 192.168.1.254. That’s tedious and error-prone. Instead, Nmap lets you specify the entire range with CIDR notation:
nmap -sn 192.168.1.0/24
The -sn flag tells Nmap to perform a "ping scan" – it just checks if hosts are up, without attempting any port scans. This is incredibly efficient for initial discovery. Nmap internally parses 192.168.1.0/24 and understands that it needs to probe every IP address from 192.168.1.0 to 192.168.1.255. The output will be a list of responding IPs:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0050s latency).
Nmap scan report for 192.168.1.25
Host is up (0.0015s latency).
...
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.12 seconds
This is the core of CIDR scanning: abstracting individual IPs into a network block. Nmap doesn’t just accept /24; it understands the full spectrum of CIDR notation, from /31 (two IPs) to /0 (the entire IPv4 internet, though practically limited by your network’s routing).
The problem this solves is the sheer scale of modern networks. Manually enumerating even a small /24 subnet is impractical. CIDR notation, borrowed from IP routing, provides a concise and standardized way to represent contiguous blocks of IP addresses. Nmap leverages this to perform scans with minimal input.
Internally, Nmap takes the CIDR block and generates a list of all possible IP addresses within that range. It then queues these IPs for scanning using the specified Nmap options. The efficiency comes from Nmap’s ability to manage these requests concurrently and its optimized scanning techniques for large IP sets.
The key levers you control are the CIDR block itself and the Nmap scan options you combine with it. Want to find all web servers on a subnet?
nmap -p 80,443 --open 192.168.1.0/24
Here, -p 80,443 targets the HTTP and HTTPS ports, and --open shows only hosts where at least one of those ports is open. This command will scan all 256 IPs in the /24 for open web ports.
The power of CIDR scanning becomes even more apparent when dealing with larger ranges. If you need to scan the entire 10.0.0.0/8 block (which is over 16 million IPs), you wouldn’t do it with individual IPs. You’d use CIDR:
nmap -sL 10.0.0.0/8
The -sL flag performs a "list scan," which simply lists all the IPs Nmap would scan without actually sending any packets. This is useful for understanding the scope of a large CIDR block before committing to a full scan.
What many people don’t realize is that Nmap doesn’t just accept standard IPv4 CIDR. It also supports IPv6 CIDR notation, allowing you to perform the same efficient subnet scanning for your IPv6 networks. For example, to scan the IPv6 subnet 2001:db8::/64:
nmap -6 -sn 2001:db8::/64
The -6 flag explicitly tells Nmap to use IPv6. The CIDR notation /64 works identically to its IPv4 counterpart, representing a contiguous block of 2^64 addresses.
Once you’ve mastered CIDR scanning, the next logical step is understanding how Nmap’s timing and performance options interact with large-scale scans.