Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PortBunny - FX and Fabs at 24C3

From: "Robert E. Lee" <robert () outpost24 com>
Date: Thu, 24 Jan 2008 13:22:17 +0100
Fyodor, et al

This is in response to:
http://seclists.org/nmap-dev/2008/q1/0116.html

Tyler was getting so many dropped packets because the TSC on his
computer is misbehaving.  He needed to use the GTOD or Sleep timer
options instead to have accurate scan.  By default, unicornscan will
send at 300 packets per second.  By default, it should take ~3 minutes,
45 seconds to complete a full 65k port scan.

=-=-=-=-=-=-=

Here is a more accurate picture:
This output isn't meant to make either project look better than the
other; heads up output against one host on the internet in a pure speed
shoot out isn't that interesting.

Fyodor and I have spoken several times offline about speed and
neither of our projects care about speed at the expense of accuracy.
But since all this hoopla started on the speed topic, here are some
results from our test machine.

I scanned scanme.insecure.org from a co-located machine with a good
amount of bandwidth. Scanme is mostly filtered with some open and some
closed ports.  These filtered, over the Internet scans are what
Unicornscan shines at.

=-=-=-=-=

# time us scanme.insecure.org/32:a -L2 -r75000 -E
TCP open                     ssh[   22]         from 205.217.153.62  ttl
52 
TCP closed                  smtp[   25]         from 205.217.153.62  ttl
52 
TCP open                  domain[   53]         from 205.217.153.62  ttl
52 
TCP closed                gopher[   70]         from 205.217.153.62  ttl
52 
TCP open                    http[   80]         from 205.217.153.62  ttl
52 
TCP closed                 ident[  113]         from 205.217.153.62  ttl
52 

real    0m4.701s
user    0m0.441s
sys     0m0.588s

=-=-=-=-=

# time nmap -p0-65535 scanme.insecure.org

Starting Nmap 4.53 ( http://insecure.org ) at 2008-01-24 02:26 PST
Interesting ports on scanme.nmap.org (205.217.153.62):
Not shown: 65530 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  open   domain
70/tcp  closed gopher
80/tcp  open   http
113/tcp closed auth

Nmap done: 1 IP address (1 host up) scanned in 140.339 seconds

real    2m20.344s
user    0m0.066s
sys     0m0.045s

=-=-=-=-=

# time nmap -p0-65535 -T5 --max-retries 0 scanme.insecure.org

Starting Nmap 4.53 ( http://insecure.org ) at 2008-01-24 02:31 PST
Warning: Giving up on port early because retransmission cap hit.
Interesting ports on scanme.nmap.org (205.217.153.62):
Not shown: 65530 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  open   domain
70/tcp  closed gopher
80/tcp  open   http
113/tcp closed auth

Nmap done: 1 IP address (1 host up) scanned in 49.875 seconds

real    0m49.879s
user    0m0.062s
sys     0m0.058s

=-=-=-=-=

4.7 vs 49.87 seconds. We've reported the exact same findings (no dropped
packets).

Cheers,

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert () outpost24 com


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: