Improving nmap performance

[Lance Spitzner <lance () honeynet org>]

Not sure if this is commonly known, however I wanted to share
something I've learned with nmap.  As part of my job, I often
do a great deal of scanning of firewalls, or scanning through
firewalls.  This can be VERY TIME consuming, as you get no
response for each probe, a full scan (all 65000+ ports) of a 
firewall used to average me 3200 seconds.  While teaching
a class we were able to DRAMATCALLY reduce this for TCP
scans to average 840 seconds.  Using the following command line
options

  --max_rtt_timeout 50 --max-parallelism 100

By reducing rtt_timeout to 50, we DRAMATICALLY reduced the
time for scanning, however, this is when the target is only
2 hops away, you may experience dropped packets if there
are more hops.  I can say this with a high degree with confidence,
as we had 8 different systems probe all 65000+ TCP ports,
all averaging around 840-850 seconds per scan.  By changing
the rtt_timeout to 10, we got the time down to 350+, but
you are really pushing it.  Increasing the number of parrallel
scans beyond 100 seemed to have no improvement.

Unfortunatelyl, UDP still took MUCH LONGER, averaging
2000-3000 seconds perscan :-0

Just thought I would share this tidbit, for those of you
who have waited to firewall scans :)


-- 
Lance Spitzner
http://www.honeynet.org




--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).