Re: faster scans? (nmap)

From: Anders Thulin (Anders.Thulin@kiconsulting.se)
Date: Tue Jun 04 2002 - 02:49:30 EDT

• Next message: Andreas Junestam: "Re: faster scans? (nmap)"
• Previous message: batz: "Re: How to portscan a Class B effectively"
• In reply to: wirepair: "faster scans? (nmap)"
• Next in thread: JLETOUX@bouyguestelecom.fr: "RE: faster scans? (nmap)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

wirepair wrote:

> I'm sure most of you at some point in time need to scan class c after
> class c for hosts responding (most likely using nmap). [...]

> so I was wondering if any of you have any tips
> on speeding up the process and not loosing reliablity. Here's the actual
> syntax nmap -sT -v -n -P0 -p 1- ip.ip.ip.ip-ip.

   If you're doing host discovery -- i.e. all you want to get is a list of
confirmed IP addresses -- I think you should split up the job more, to
avoid doing extended port scans of hosts you already know to be there.

   In general:

   1) Ping broadcast and network addresses (NMAP).
      Likely to bag you more than one response per packet sent

   2) Ping remaining addresses (NMAP)

   3) NetBIOS name enumeration on remaining addresses (I forget - ADMsmb? NAT?
      some Samba utility?)
      Likely to bag you most Win/Samba systems.
        I think there may be broadcast possibilities here, but I don't know
      any tools that use them.

   4) portscan one at a time: 21, 22, 25, 80, 443 and other known and fairly
      *likely* TCP ports for remaining addresses. (NMAP)

      (See Open-Source Security Testing Methodology Manual for more ideas at
       http://www.ideahamster.org.)

   A bit of scripting is, of course, required to remove found addresses from the
list of targets before it's used in the next step.

   As for UDP scanning ... I'm not sure. If you get a positive response (i.e.
port unreachable) you can trust the answer, but personally I would not interpret
the absense of a response in any way. Again, the probes can be ordered after
probability: NetBIOS ports, DNS, NTP, isakmp, etc...

   It's not really until you get to the end of the list of discovery methods that
something as general as -p1- makes sense. And even then, I'd do it in blocks
of 1024 ports at a time.

-- 
Anders Thulin   anders.thulin@kiconsulting.se   040-661 50 63	
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Andreas Junestam: "Re: faster scans? (nmap)"
• Previous message: batz: "Re: How to portscan a Class B effectively"
• In reply to: wirepair: "faster scans? (nmap)"
• Next in thread: JLETOUX@bouyguestelecom.fr: "RE: faster scans? (nmap)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT