Re: Advice on Fastest NMAP Scan

From: Fyodor (fyodor_at_insecure.org)
Date: 10/27/04

  • Next message: Jonathan Loh: "Re: Is this normal?" 
    Date: Tue, 26 Oct 2004 16:05:57 -0700
To: "Mogren, Jack L." <mogren@mayo.edu>

    On Tue, Oct 26, 2004 at 09:58:50AM -0500, Mogren, Jack L. wrote:
    >
    > Here's what I've come up with so far.
    >
    > nmap -O -T4 -PE -F --osscan_limit -oX /home/security/test.xml -iL /home/security/ip_addresses.txt
    >
    > Any comments or suggestions?

    First off, make sure that you are using Nmap 3.75. Nmap 3.70 included
    a complete port scan engine rewrite for better performance (among
    other advantages) and then 3.75 tweaked it to be even better. You can
    obtain Nmap 3.75 from http://www.insecure.org/nmap .

    Since you know your network, you may be able to help Nmap by setting a
    maximum retransmission timeout. Are you scanning over multiple
    continents, or just a local network? If you can assume that responses
    won't take more than 100ms, add --max_rtt_timeout 100 for a big speed
    boost. Also, use a large host group such as --min_hostgroup 128 so
    that many hosts are scanned in parallel. Play with the numbers a bit
    to figure out what works best on your particular network. You could
    also consider a custom nmap-services file with just a couple hundred
    of the most common TCP ports. Even the -F option still scans more
    than 1200 ports by default.

    I would be interested to hear how it goes. If you find that it is too
    slow for your needs, let me know. I am working on a performance
    chapter of my upcoming O'Reilly Nmap book, so I have studied several
    such large network situations. A class B and several class C's
    shouldn't be any problem at all for regular scanning. Your "entire
    private address space" make take a while, depending on your setup.
    Scanning 10.0.0.0/8 is 16 million IPs, so don't expect it to complete
    during lunch. Some of the tools that claim incredibly speeds don't
    even handle retransmissions or other reliability requirements.

    I hope this helps,
    Fyodor

  • Next message: Jonathan Loh: "Re: Is this normal?"

    Relevant Pages

    • Re: Nmap scanning speed
      ... > I have to scan a large network. ... is it possible to get good port scanning speed of over 700 ports per second from nmap? ...
      (Pen-Test)
    • Re: Advice on Fastest NMAP Scan
      ... when I try nmap scanning within Nessus, it just take ages to finish the ... initial scanning process. ... or just a local network? ...
      (Security-Basics)
    • Re: Identification of non Cisco APs
      ... I would guess that most of these access points would have ports 80 ... You could do this with nmap, ... you should be able to identify what they are from the Server: ... network (which would be the case if they are a home router/firewall/ap ...
      (Pen-Test)
    • RE: Nmap output
      ... Try using Nlog. ... NLog is a set of PERL scripts for managing and analyzing your nmap 2.0+ ... web based service gateway to an internal network. ...
      (Pen-Test)
    • RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
      ... What OS are you scanning? ... Random unprivileged TCP ports below 5000 kind-of open for a ... I found out that by default nmap doesn't scan every ...
      (Incidents)