As mentioned earlier, the only argument that is required by any of our scanners is which host or hosts to scan. All other options assume reasonable default configurations, but there is no such thing as a default host.
There are three ways to specify the target(s) of a scan:
All three tools let you specify a single IP address or domain name to instruct the scanner to perform a scan of that single host—for example, 1.2.3.4 or www.somedomain.com.
CIDR notation lets you specify an IP address or domain name followed by a forward-slash (/) character and the number of bits in the subnet mask. For example, to scan the class C (256 addresses) network around 10.0.0.1, you would type 10.0.0.1/24. Class B (65535 addresses) networks are represented by /16, class A (16 million addresses) by /8, and so on.
The CIDR notation /0 denotes all possible IP addresses (there are over four billion of them). Unicornscan happily accepts 0/0 as a valid scan target and will commence to scan the entire Internet. You really shouldn't do this as it won't finish in your lifetime, and you'll likely annoy lots of people in the process. Nmap is polite enough to not accept /0 as a valid input, but it does accept /1, which, at two billion addresses, is nearly as bad.
By far the most flexible way to specify scan targets is to use the IP address range notation. This style lets you enter comma-separated IP addresses and IP address ranges into each octet of the target. For example, to scan all (valid) IP addresses in the class C network around 10.0.0.1, you would type 10.0.0.1-254. This is roughly equivalent to the CIDR notation /24, but is slightly superior since 10.0.0.0 and 10.0.0.255 aren't valid IP addresses to scan, yet are included in the CIDR notation. The IP range notation allows you to express complex target lists that are impossible with CIDR notation, such as:
10.1,3,5,7,9.50-100,150-200.1-5,250-254
IP address ranges can come in handy for doing specialized scans of large networks. For example, the 10.0.0.0/8 network is commonly used on the inside of a NAT device (see Network Address Translation). In a large network this will likely be subdivided into smaller subnets, each with its own router. It is common practice for routers to be given an IP address at the beginning or end of a subnet range (for example, 10.5.5.1 or 10.5.5.254). To quickly scan the entire 10.0.0.0/8 network for routers that use BGP (a common router protocol that uses port 179), you could use:
nmap -p 179 10.0-254.0-254.1,254Unfortunately, our scanners don't necessarily accept all three target-specification methods. Nmap, the reigning feature champion, accepts all three styles and even allows for multiple target specifications to appear on the command line. Unicornscan supports only single hosts and CIDR notation. Scanrand, on the other hand, allows only for single hosts or one IP address range specification.