Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nmap notes from a few conferences
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 10 Jun 2009 03:02:14 +0000

Hash: SHA1

On Tue, 9 Jun 2009 19:37:33 -0700
Fyodor <fyodor () insecure org> wrote:
* People don't seem to know about nbstat.nse and are still talking
  about nbtscan.  Ron did some very good work with nbstat.  I don't
  think people know how scan a very large network for UDP/137
quickly. In our documentation I think we should try to highlight
how to use nbstat.nse really quickly.

It sounds like you have some ideas related to quick UDP scanning?
Maybe you could add some examples/information to the nbtscan NSEDoc?

Well UDP scanning is always going to be slow unless you can be
massively parallel.  Since with nbstat you're only looking for UDP port
137 you should be able to do something like:

$ sudo nmap -v -T5 -PN -sUC --script=nbstat -p 137 -n --min-hostgroup
16384 --min-rtt-timeout 1000 --min-parallelism 4096 <big networks here>

Unfortunately, I just tried that and NSE deadlocks immediately.  No
scripts complete.  If I take out the script portion I can scan a /16
for just port 137 with the above command in about 50 seconds.  I tried
removing --script and adding -sV but that caused:

nmap: gh_list.c:347: gh_list_remove_elem: Assertion `list->count == 0 || (list->first && list->last)' failed.

David and I ran into this before with huge hostgroups.  At the time we
thought Nsock was unable to handle so many sockets.

In terms of fast UDP scanning, nbstat is a special case because it is
just one port.  Actually creating that many UDP sockets though seems to
make NSE and Nsock pretty unhappy though.  When I wrote the original
version of nbstat and tested it, I was able to use huge hostgroups and
it ran fine.  Ron did add a lot of features and NSE has changed a lot
since then.

  that the documentations and examples are out there.  This is
mostly what my DDCSW presentation was about.

Do you have slides or a video recording online?

With the caveat that this was a 15 minute presentation because DDCSW
was discussion and question/answer oriented and also that the target
audience was not your typical nmap-dev subscriber, the abstract and
presentation link are:

Effectively Scanning Huge Networks with Nmap to find backdoors and
suspicious services:

On a large network a tool like Nmap may feel like a toy. Just as you
can't extend your core network with a $25 Linksys router from Best Buy,
you can't just fire up Nmap, tell it to scan a handful of /16s and expect
anything useful to happen. Scanning large networks requires a solution
that scales, maintains good speed, and can be automated. Fortunately
with the appropriate use of Nmap's many options and a few wrapper
scripts Nmap can be made to scan very large networks smoothly with
useful results. This presentation will provide the necessary scripts,
knowledge, and checklist needed to start up scanning your organization.
This presentation will also cover using Nmap for some tasks normally
thought of as Nessus- only like Windows password auditing, MS08-067
checking, Conficker scanning, etc.



Version: GnuPG v2.0.11 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]