Scan Targets

In Tenable.io, you can use a number of different formats when specifying targets for a scan. The following tables contain target formats, examples, and a short explanation of what occurs when Tenable.io scans that target type.

Note: For previously scanned assets, you can configure scan targets based on host attributes like operating system or installed software, instead of host identifiers like IP address.

Note: AWS Pre-authorized scanners do not scan the T3.nano, T2.nano, T1.micro, or M1.small targets. For more information, see the AWS Penetration Testing documentation. Additionally, for more information about Pre-Authorized scan targets in Tenable.io, see Basic Settings.

Tip: If a hostname target looks like either a link6 target (start with the text "link6") or one of the two IPv6 range forms, put single quotes around the target to ensure that Tenable.io processes it as a hostname.

Target Description

Example

Explanation

A single IPv4 address

192.168.0.1

Scans the single IPv4 address.

A single IPv6 address

2001:db8::2120:17ff:fe56:333b

Scans the single IPv6 address.

A single link local IPv6 address with a scope identifier

fe80:0:0:0:216:cbff:fe92:88d0%eth0

Scans the single IPv6 address. Note that you must use interface indexes, not interface names, for the scope identifier on Windows platforms.

An IPv4 range with a start and end address

192.168.0.1-192.168.0.255

Scans all IPv4 addresses between the start address and end address, including both addresses.

An IPv4 address with one or more octets replaced with numeric ranges

192.168.0-1.3-5

Scans all combinations of the values given in the octet ranges. In this example, scans: 192.168.0.3, 192.168.0.4, 192.168.0.5, 192.168.1.3, 192.168.1.4 and 192.168.1.5

An IPv4 subnet with CIDR notation

192.168.0.0/24

Scans all addresses within the specified subnet. The address given is not the start address. Specifying any address within the subnet with the same CIDR scans the same set of hosts.

An IPv4 subnet with netmask notation

192.168.0.0/255.255.255.128

Scans all addresses within the specified subnet. The address is not a start address. Specifying any address within the subnet with the same netmask scans the same hosts.

A host resolvable to either an IPv4 or an IPv6 address

www.yourdomain.com

Scans the single host.

If Tenable.io can resolve the hostname to multiple addresses, Tenable.io scans the first resolved IPv4 address or, if Tenable.io cannot resolve an IPv4 address, the first resolved IPv6 address.

A host resolvable to an IPv4 address with CIDR notation

www.yourdomain.com/24

Resolves the hostname to an IPv4 address, then scans all addresses within the specified subnet.

Tenable.io treats this format like any other IPv4 address with CIDR notation.

A host resolvable to an IPv4 address with netmask notation

www.yourdomain.com/255.255.252.0

Resolves the hostname to an IPv4 address, then scans all addresses within the specified subnet.

Tenable.io treats this format like any other IPv4 address with netmask notation.

The text 'link6' optionally followed by an IPv6 scope identifier

link6 or link6%16

Scans all hosts that respond to multicast ICMPv6 echo requests sent out on the interface specified by the scope identifier to the ff02::1 address. If no IPv6 scope identifier is given, the requests are sent out on all interfaces. Note that you must use interface indexes, not interface names, for the scope identifier on Windows platforms.

Some text with either a single IPv4 or IPv6 address within square brackets

"Test Host 1[10.0.1.1]" or "Test Host 2[2001:db8::abcd]"

Scans the IPv4 or IPv6 address within the brackets, like a normal single target.