Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Scan 3 thousand host consume severals hour

Re: Scan 3 thousand host consume severals hour

From: Michael Hornung <hornung_at_cac.washington.edu>
Date: Sat, 7 Jan 2006 13:43:45 -0800 (PST)

On Tue, 20 Dec 2005 at 12:44, Andreas Ericsson wrote:

|Ricardo A. Reis wrote:
|>
|>>I would recommend that you find a better way of narrowing down the machines
|>>you have. For example, can you simply do a list scan of the machines on your
|>>network and then grep/awk for the appropriate entries to place into a hosts
|>>file which you can pass into nmap with -iL ...
|>
|> I use also -P0 per XP firewall block icmp, with this scan is more
|> slowly.
|
|OTOH, if you don't send PING and scan 62000 hosts that just aren't there
|you'll end up sending a minimum of 62000 * 65535 packets that won't ever
|get a response. Needless to say, this is a big, fat waste of time.

It is a waste of time to use the ping test when the target host is
actually down. It is also a waste of time to use the ping test against
targets (e.g. default XP SP2) that you know will not respond to your ping,
which happens to be the increasing majority of hosts, at least, in my
environment. Given my needs and those considerations, the ping test is
flawed and is not used.

At my University one of the services we offer includes a weekly scan of
all devices on the network at the time of the scan. I found out the hard
way about various pitfalls associated with scanning several /16s and more,
hoping a full TCP scan of ~60,000 responsive devices would finish in 24
hours or less.

One approach I have taken is to use -P0 to skip the ping test. Instead
what I do is dump the ARP cache from our routers and then scan only those
devices that are known to have talked on the network. Thanks to the
proliferation of worms and virii attempting to spread all over the place
there is slim chance that devices of the lowest common denominator will
not have their IP and MAC in the router's ARP cache when they're on the
network (i.e. a machine powered on and connected to the network is likely
going to have talked on the network since the last time the ARP cache was
cleared).

This approach allows me to scan all those devices I know to be on the
network at the time of scanning, and no "Is the host up?" test is
necessary. This process change alone dramatically increased overall scan
performance. Of course mass parallelization and option tweaking have
helped too.

I still haven't had a chance to deploy 3.96BETA1 (just started testing
Friday) but Thank You!! Fyodor and Martin for the continued optimization,
including the new max retransmit option (no more modding scan_engine.cc
before compiling!), and for the rate limit patch, respectively. When you
know you're on a low latency network and have specific expectations of
network performance, it is very nice to be able to dramatically reduce the
max number of retransmits (not to mention host timeouts, etc).

_____________________________________________________
 Michael Hornung Computing & Communications
 hornung_at_washington.edu University of Washington

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jan 07 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos