Nmap Development mailing list archives
Re: [PATCH] Extended SSL support in Nmap
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Feb 2009 21:50:12 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 21 Feb 2009 22:30:25 +0100 or thereabouts Kristof Boeynaems <kristof.boeynaems () gmail com> wrote:
I think this is actually going to be pretty hard to test. Starting a new SSL session is already a very slow, very CPU-intensive task. When I was doing a SSL survey of the Internet I had to keep the - --max-hostgroup to 16 because if it was any higher Nmap would try to version-probe too many SSL services at once and I wouldn't have enough CPU to handle all of the session instantiation. Jah mentioned seeing this here: http://seclists.org/nmap-dev/2008/q2/0332.htmlInteresting! Currently I am doing scans without this --max-hostgroup limitation, and indeed, during the version detection parts my CPU "goes through the roof". However, I did not notice any effect on the quality of the results for now; then again I haven't really been focusing on such issues either. Do you mean that you noticed that the quality was really suffering without this --max-hostgroup limitation? You got different results when specifying this option?
The machine I was doing this scanning from is relatively slow 2.8 Ghz P4 'c'. Normally when I do service scanning across thousands of hosts I specify a huge --min-hostgroup like 1024 or above. I found though that the machine was taking so long to try to establish SSL sessions that they were failing. I did some experimenting and found that 16 hosts was about the minimum needed to keep my CPU maxed. I assume that I could have done at least 32 in parallel but that it wouldn't actually have been any faster and could have been less reliable. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmgdxoACgkQqaGPzAsl94J1+gCgibzaECsvuFScL9pQ5hmOoKUC bjkAn2ugJUm/sjSL62/nqyVYWHwPumYI =yaZZ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap doug (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 02)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 22)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 30)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 31)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 31)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)