Query Networks with Nmap

Rely on cnquery to query network information using the Nmap network scanner. Discover open ports, services, and host information across your network infrastructure.

Requirements

To analyze and explore your networks with cnquery and Nmap, you must have:

• cnquery installed on your workstation.
• Nmap installed on your system.

Scan a network or host

To scan a single host:

cnquery shell nmap 192.168.1.1

To scan a network range using CIDR notation:

cnquery shell nmap 192.168.1.0/24

To scan multiple networks:

cnquery shell nmap --networks 10.0.0.0/8,192.168.0.0/16

Example queries

Once connected, you can query Nmap scan results.

This query retrieves information about all discovered hosts:

cnquery> nmap.network.hosts
nmap.network.hosts: [
  0: nmap.host address="192.168.1.1"
  1: nmap.host address="192.168.1.100"
  ...
]

This query retrieves the Nmap version information:

cnquery> nmap.version
nmap.version: {
  version: "7.94"
  ...
}

This query finds all hosts with open SSH ports:

cnquery> nmap.network.hosts.where(ports.one(portId == 22 && state == "open"))

This query lists all open ports across all hosts:

cnquery> nmap.network.hosts { address ports.where(state == "open") { portId protocol service } }

Exit the cnquery shell

To exit the cnquery shell, either press Ctrl + D or type exit.

Learn more

• To learn more about how the MQL query language works, read Write Effective MQL.

• For a list of all the Nmap resources and fields you can query, read the Nmap Resource Pack Reference.