Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Nmap scanning speed
From: "Strykar" <str () hackerzlair org>
Date: Mon, 1 May 2006 11:36:56 +0530

Well said.

As said before, use as many machines as you can allot to spread the scan
ranges, old P-2's or the like should suffice and your network bandwidth
seems enough.

Don't ping to check the machines state and have nmap do fast parallel scans,
ie. nmap -P0 -p 1-1024 -T aggressive <address range here>

What are you running these scans to check against? If you want to see what
services nmap detects, add the '-A' switch, so:

nmap -A -P0 -p 1-1024 -T aggressive <address range here>




S

-----Original Message-----
From: Phil Frederick [mailto:flosofl () gmail com] 
Sent: Monday, May 01, 2006 7:16 AM
To: pen-test () securityfocus com
Cc: chrismc () gmail com
Subject: Re: Nmap scanning speed

You may want to scan in parallel.  As many machines as you can get. 
Otherwise this will take a while.  We have a class A (10.x.x.x) split
into several smaller subnets (300,000+ nodes total) that we scan every
week.  We handle it by using 40+ dedicated scanning machines that each
handle their own section.  I'll say it again, I highly recommend using
multiple scanners.

Don't use stealth mode.  You'll never finish.  Also, alert your
firewall team to allow the scanning systems through to the other
networks.  Alert whomever handles the IDS config.  Many, many alarms
will be triggered by the scan.

An huge time saver would be a list of valid IPs (so you don't have to
hit the whole block of addresses).  My experience with our stuff is
that we use at most 35-40% of the available hosts in the ranges we
have defined.  You may want to do a simple discovery first to generate
an "addresses to scan" DB.  If you are only doing this once a month,
run the discovery in 1st half of the month and the port scan in the
second.

Scripting is your friend.  Perl or python (hell, WMI works) will help
split and combine your results.

1-1024?  Are you scanning for legitimate services only?  because
zombies, netcat, BO, etc... will all be higher in the range (i.e. BO
will be 31337 without modification)  You may want to use  "-p
1-1024,<evil tool port>,<evil tool port>,<evil tool port>,<evil tool
port>,etc.."  when you invoke nmap if you don't want to scan the
entire range.

-Phil
On 28 Apr 2006 20:10:29 -0000, chrismc () gmail com <chrismc () gmail com> wrote:
Hi,


We have been asked to scan a class b network for port range 1 - 1024 every
month.

The network is across 4 hops of T1 links. icmp is filtered at the edge
router and hence prevent us form using icmp to detect live systems.


does anyone attempted a scan on such a large scane and can provide us with
information regarding the time nmap could take to scan such an environmen
and what should be the ideal settings?


Appreciate any response to this.


----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic has
the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with
a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.

----------------------------------------------------------------------------
--



----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic has
the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault