From: robert@dyadsecurity.com
Date: Tue Nov 15 2005 - 01:44:49 EST
> From: Trent@yahoo.co.uk [mailto:Trent@yahoo.co.uk]
> Sent: Thursday, November 10, 2005 12:13 PM
> To: pen-test@securityfocus.com
> Subject: Nmap scanning speed
>
> I have to scan a large network. is it possible to get good port scanning speed of over 700 ports per second from nmap?
Keep in mind that scanning speed (software tool aside) is a tricky thing to get
right on a large network. You have to know the maximum available bandwidth from
the networks you're scanning from, and the remote networks that you are scanning.
You also have to account for the fact that most networks are optimized for stable
communication throughput... so just because you see a fat pipe on both sides
doesn't mean that they are going to be able to take a large number of relatively
tiny packets per second. Add to this the mess of these IDS/IPS/Firewall devices
that give up the ghost on a high rate of state changes and you're left with either
meticulously mapping out the safe/accurate scanning rates on the individual network
segments, or choosing a modest rate to test everything at. If you just go "really
fast", you'll either be left with inaccurate results, or DoSing the networks, or
both. We've killed .. as in fried switch ports before (we did this at our black
hat class in vegas this past summer). We've also taken out firewalls (high end
really expensive boxes) at relatively low packet per second rates.
When testing these large networks it's best to start with a conservative rate on a
segement and work up the speed, and increase the network segment size. Validate the
results, and then move on the the full blown scan.
The problem with tools like nmap and scanrand in these situations is that you can't
really dial in the pps to send at. With nmap you get pretty consistant numbers if
you use the same release/hw for all of your scans. With scanrand if you specify too
high of a rate, you will experience packet loss on the sender. With unicornscan we
tried very hard to provide timing that gets close to the rate asked for... ie if
you ask for 1,000 pps you'll get ~990 pps, etc. The fastest we've accurately scaned
at with stock hardware was over 100,000 pps from a single card. We're still looking
at custom network hardware to go higher than that (I really want to see 1,000,000 pps
for IPv6 networks). But with our distributed scanning, using multiple senders and
receivers as one logical TCP/IP stack, the remote network is going to be your limit,
not the rate of speed you can get from your scanning system.
Anyhow, we're getting ready to release an update to unicornscan. If any of you
have a large network to play with and don't mind providing feedback, hit me up and
I'll help you get the pre-release working. The biggest feature differences that
you'll see in the next release are being able to do the distributed scanning that
we demo'd at blackhat/defcon + being able to perform TCP based trigger/response
testing. IE.. instead of having to portscan on the 1st sweep, and then banner
grabbing on the open ports, and then amaping the the open ports, you can send
dynamic or static TCP/UDP payloads all on the 1st sweep. For more info on that, see
the unicornscan.org website. The defcon talk slides are there to download.
Feel free to ask more large scale scanning questions. We have had good success doing
that with unicornscan. Also, a quick plug for ISECOM's OPST/OPSA classes. To my
knowlege they're the only group teaching unicornscan in the curriculum worldwide. I
helped write those slides. If you're looking for a class to go to in the next few
months, that might be a good one to consider. I'm teaching an OPST class in Feb
here in Southern California, but they are available world-wide through the ISECOM
training network.
Cheers, and happy testing,
Robert
-- Robert E. Lee CIO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert@dyadsecurity.com M - (949) 394-2033 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:10 EDT