Home page logo
/

nmap-dev logo Nmap Development mailing list archives

feature suggestion: host-level parallelism
From: Florin Andrei <florin () sgi com>
Date: 22 Nov 2002 13:14:00 -0800

I'm running this nmap command on a /24 network:

nmap -sT -p 1-65535 -P0 -R

nmap seems to scan hosts one by one. This is fine when firewalls just
REJECT packets, but it's not fine when they DROP packets (i'm using the
iptables jargon). In the latter case, basically the hosts for which the
packets are dropped act essentially like tarpits (teergrube), slowing
down the whole process. 
I would suggest implementing some degree of host parallelism into nmap
for when TCP (or UDP) scanning targets larger than /32. I am aware of
the fact that nmap already has port-level parallelism, and i appreciate
that.
I can't seem to find any switch to enable host-level parallelism for
this type of scan (TCP scan, no pings).

I think nmap relies on ping probes to fake host-level parallelism for
TCP scans (ICMP- or TCP-ping it before, an don't scan if it doesn't
answer). If that's true, then it's not enough; some degree of proper
host-level parallelism should be implemented purely for the TCP scans,
otherwise you could either miss hosts (if you enable pinging before the
actual scan and you happen to ping a port that's filtered out) or get a
very slow scan on "tarpitted" networks (if you disable pinging).

Right now i'm implementing a scripting wrapper to enable host-level
parallelism: 
- launch a controlled number of nmap processes 
- periodically test to see how many of them completed the task 
- launch new processes to replace the ones who completed 
- repeat until exhaust the entire target address space 
But that's fairly complex and not pretty at all, not to mention that i
loose the ability to get all results in a single file (well, yeah, i
could do some tweaking for that, but...). 
nmap could achieve the same thing (in theory) in a single process,
without the mentioned disadvantages. 

Of course, one could just launch one nmap process for each address, all
at once in a loop without pause, but sometimes when doing that even a
/24 network could bring down a machine. ;-) 

-- 
Florin Andrei

It's ok to use the names of your pets or children as passwords
as long as they contain several non-alphanumeric characters.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



  By Date           By Thread  

Current thread:
  • feature suggestion: host-level parallelism Florin Andrei (Nov 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]