RE[4]: Finding web servers with nmap

[Denis <da_shestakov () myrealbox com>]

Hi,


Thanks all for the answers!

Suggestions for discovery web servers (I define a web server as a
host with open port 80 serving http and, particularly, do not care about
other ports) in some IP range were using the following tools:
WotWeb
nmap
Acunetix web scanner
amap


The WotWeb program seems the best tool for the task I have. However, I
wonder how the process of identifying whether http service is
listening on a port or not happens. Is it sending probes like "HEAD /
HTTP/1.0" or something less trivial? May I be sure that I do not miss
any host with publicly available web server on it when scanning with
the WotWeb some IP range (of course suppose that network,DNS,etc. are
fine)? 


nmap can be also used for that with the options (additionally,
these non-essential for my task options may be added -  -v, -n, -T5 or
-T4, -sV):
#nmap -v -sT -P0 -p 80 -oG your.log -iL x.x.0-255.0-255
or the same but with -sS instead of -sT
#nmap -v -sS -P0 -p 80 -oG your.log -iL x.x.0-255.0-255

So, what would be better - running with -sT (faster) or with -sS?
Then, does -P0 option when performing sequential scan of large IP
ranges prevent the appearance of my machine in a list of compromised
or infected hosts?


-- 
BR,
 Denis                          mailto:da_shestakov () myrealbox com