Re: faster scans? (nmap)

From: Yann Berthier (
Date: 06/03/02

Date: Mon, 3 Jun 2002 22:27:20 +0200
From: Yann Berthier <>

On Mon, 03 Jun 2002, Steve Maks wrote:

   [context lost thanks to top-posting :p]

> Take a look at the rtt options in nmap (min/max/initial_rtt_timeout), it's
> pretty much required to modify them when you are scanning hosts with -P0.
> Depending on your connection and the target's connection, you can greatly
> improve the scan speed.

   Yes, but one has to keep in mind it depends a lot of the network
   lossage: we have seen very unreliable results with nmap - on
   unreliable networks that is, but when doing a pentest, we can't
   refuse customers because they have bad connectivity, can we ? :)
   So back to the subject: scanning large networks is a real problem as
   a pentester. It can take several nmap runs to adjust the rtt
   according to the lossage, and to have the more accurate snapshot of
   the tested network. And then we need to:

   . scan again with fixed source ports
   . scan once more while playing with the ttl

   All of this is very time consuming, and there is no handy solution I
   know. I think we need new paradigms here (yes, no less), but I'm sure
   some of you have already thought about this ...
   <sci-fi on>

   Imagine now an ipv6 world where /48 networks at least are the norm

   </sci-fi on>

   - yann.

-- -*- HSC -*-

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: