From: Strykar (str@hackerzlair.org)
Date: Mon May 01 2006 - 02:06:56 EDT
Well said.
As said before, use as many machines as you can allot to spread the scan
ranges, old P-2's or the like should suffice and your network bandwidth
seems enough.
Don't ping to check the machines state and have nmap do fast parallel scans,
ie. nmap -P0 -p 1-1024 -T aggressive <address range here>
What are you running these scans to check against? If you want to see what
services nmap detects, add the '-A' switch, so:
nmap -A -P0 -p 1-1024 -T aggressive <address range here>
S
-----Original Message-----
From: Phil Frederick [mailto:flosofl@gmail.com]
Sent: Monday, May 01, 2006 7:16 AM
To: pen-test@securityfocus.com
Cc: chrismc@gmail.com
Subject: Re: Nmap scanning speed
You may want to scan in parallel. As many machines as you can get.
Otherwise this will take a while. We have a class A (10.x.x.x) split
into several smaller subnets (300,000+ nodes total) that we scan every
week. We handle it by using 40+ dedicated scanning machines that each
handle their own section. I'll say it again, I highly recommend using
multiple scanners.
Don't use stealth mode. You'll never finish. Also, alert your
firewall team to allow the scanning systems through to the other
networks. Alert whomever handles the IDS config. Many, many alarms
will be triggered by the scan.
An huge time saver would be a list of valid IPs (so you don't have to
hit the whole block of addresses). My experience with our stuff is
that we use at most 35-40% of the available hosts in the ranges we
have defined. You may want to do a simple discovery first to generate
an "addresses to scan" DB. If you are only doing this once a month,
run the discovery in 1st half of the month and the port scan in the
second.
Scripting is your friend. Perl or python (hell, WMI works) will help
split and combine your results.
1-1024? Are you scanning for legitimate services only? because
zombies, netcat, BO, etc... will all be higher in the range (i.e. BO
will be 31337 without modification) You may want to use "-p
1-1024,<evil tool port>,<evil tool port>,<evil tool port>,<evil tool
port>,etc.." when you invoke nmap if you don't want to scan the
entire range.
-Phil
On 28 Apr 2006 20:10:29 -0000, chrismc@gmail.com <chrismc@gmail.com> wrote:
> Hi,
>
>
> We have been asked to scan a class b network for port range 1 - 1024 every
month.
>
> The network is across 4 hops of T1 links. icmp is filtered at the edge
router and hence prevent us form using icmp to detect live systems.
>
>
> does anyone attempted a scan on such a large scane and can provide us with
information regarding the time nmap could take to scan such an environmen
and what should be the ideal settings?
>
>
> Appreciate any response to this.
>
>
----------------------------------------------------------------------------
-- > This List Sponsored by: Cenzic > > Concerned about Web Application Security? > Why not go with the #1 solution - Cenzic, the only one to win the Analyst's > Choice Award from eWeek. As attacks through web applications continue to rise, > you need to proactively protect your applications from hackers. Cenzic has the > most comprehensive solutions to meet your application security penetration > testing and vulnerability management needs. You have an option to go with a > managed service (Cenzic ClickToSecure) or an enterprise software > (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can > help you: http://www.cenzic.com/news_events/wpappsec.php > And, now for a limited time we can do a FREE audit for you to confirm your > results from other product. Contact us at request@cenzic.com for details. > ---------------------------------------------------------------------------- -- > > ---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:54 EDT