Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a few usability problems and how to scan very fast a large network

From: Farkas Levente <lfarkas () lfarkas org>
Date: Tue, 09 Mar 2010 23:36:55 +0100
On 03/09/2010 10:45 PM, Brandon Enright wrote:

The best way would be to look at your ARP tables.  With Nmap though,


local arp table usually don't contains all apr info on the lan:-(


something like this should be pretty comprehensive:

nmap -v -d -v -sP -PE -PP -PM
- -PS21,22,23,80,135,139,443,445,1024,1025,1026,3389 -PA
21,22,23,80,135,139,443,445,1024,1025,1026,3389 -T5
- --min-hostgroup 2048 --min-parallelism 256 -oA results 10.10.0.0/16


this gives me:
Nmap done: 65536 IP addresses (74 hosts up) scanned in 45.85 seconds
so much slower then my version:-(


- xml output contains a lots of good for nothing tags. eg. if i scan
a B subnet then the the resulted xml which contains ALL host tag ie.
65536 tag. why? even if we have a few dozens of used ip address we've
to load and parse a rather large tree which is time and memory
consuming proccess and totally redundant. this file is about 7MB !!!
while read it while process and and why use memory for this.


Well if you tell Nmap to scan an IP and it doesn't get anything it
should record the null result.  It may not be useful for your purpose
but you can use Xquery/Xpath to filter that.


this true, but imho a better output still would be useful.


Also, if you're going for such targeted information as in your example
above:

$ sudo nmap -v -d -n -Pn -p 80 -T5 --min-parallelism 256 --min-hostgroup 2048 -oG - 192.168.0.0/16 2>/dev/null | awk 
'/^Host:.*Ports: 80\/open/ {print $2}'


this takes:
Nmap done: 65536 IP addresses (80 hosts up) scanned in 46.74 seconds


You really want to avoid TCP connections here.  Instead of using T just
- -sS and then -p 80

Also, -PR won't really work outside of your VLAN.


we always like to scan LAN or why VLAN different in this case?


Okay lets try:

$ time sudo nmap -n -PN -p 80 -T5 --min-parallelism 4096 --min-hostgroup 8192 132.239.0.0/16 -oG - 2>/dev/null | awk 
'/Host:.*open/ {print $2}' | wc -l
2949

real    0m15.170s
user    0m5.262s
sys     0m2.121s


in my case this the fastest:
Nmap done: 65536 IP addresses (74 hosts up) scanned in 10.84 seconds


A pcap for a /24 would be nice.  I'm guessing some sort of UDP based
fire and forget trick specific to the camera.


i'll do this in the following days...


Available has lots of definitions but it sounds to me like any IP used
by a machine.  ARP tables are the only sure way to do that.

Try something like:

nmap -v -d -v -sP -PE -PP -PM
- -PS21,22,23,80,135,139,443,445,1024,1025,1026,3389 -PA
21,22,23,80,135,139,443,445,1024,1025,1026,3389 -T5
- --min-hostgroup 2048 --min-parallelism 256 -oA results 10.10.0.0/16


those "-" at the beginning of lines are bug? this takes:
Nmap done: 65536 IP addresses (76 hosts up) scanned in 45.00 seconds
so again very slow:-(

--
  Levente                               "Si vis pacem para bellum!"
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: