Re: some nmap tools

["Akbar Ali" <kaber () aliansystems com>]

Might take a while to scan all those hosts, a lot of firewalls don't respond
to requests and will just sit there..
And when you scan, be prepared for your logs to grow quite a bit, many
servers will drop an icmp echo requset to you after they get scanned.


-akbara.
;http://vertexabuse.cjb.net

----- Original Message ----- 
From: "testic+testic" <testic () testic demon co uk>
To: "nmap" <nmap-dev () insecure org>
Sent: Sunday, December 07, 2003 7:06 AM
Subject: Re: some nmap tools


> was intrigued by the idea of scanning such a large number of hosts,
> especially doing all the scanning from a single machine. I did some quick
> calculations in order to get a perspective.
>
> Assuming all TCP packets (SYN, ACK, FIN etc) are all the same size of 160
> bits (20 bytes)...
>
> We send a SYN packet to a remote port...
>
> If the remote port is 'open', ie a service is listening on that port, the
> sender will recieve a SYN/ACK.
> If the port is 'filtered' the sender will recieve an RST packet.
> If the port is 'closed' nothing at all will be recieved.
>
> In 'filtered' and 'closed' states the sender need send no more data at
all.
> Only in 'open' state does any further data need to be sent, in this state
we
> will be sending a further ACK and also we need to close the connection,
Nmap
> I believe will neatly close the connection using FIN. As far as I can tell
> this will result in FIN, CLOSE and FIN/ACK packets being sent and FIN/ACK
> and FIN packets being recieved. For simplicity I am assuming all these
basic
> packet are the same size of 160 bits (20 bytes).
>
> Assuming a remote host has 2 'open' ports and 2 'filtered' ports, and
given
> that there are 1223 services in nmap-services this will result in:
>
> 1,223 SYN's being sent. (195,680 bits (24,460 bytes))
> 2 RST's being recieved ('filtered' ports) (320 bits (40 bytes))
> 2 SYN/ACK's recieved ('open' ports) (320 bits (40 bytes))
> 2 ACK's sent (final part of 3-way handshake) (320 bits (40 bytes))
> 2 x FIN, CLOSE and FIN/ACK sent (for closing the open connection) (a total
> of 960 bits (120 bytes))
> 2 x FIN/ACK and FIN recieved (for closing the open connection) (a total of
> 480 bits (60 bytes))
>
> Total sent per host: 196960 bits (24620 bytes) Total recieved per host:
1120
> bits (140 bytes).
>
> If there are 80,000 hosts to be scanned that is a grand total of 15756.8
> million bits (1878.36 MB) being sent and 89.6 million bits (10.68 MB)
being
> recieved. To put it another way, 98.48 million packets are sent and
640,000
> are recieved.
> If this scan takes 10 hours to complete then 2735 packets are sent per
> second!
>
>
>
> testic
>
>
> PS, apologies for any errors :)
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help () insecure org . List archive: http://seclists.org


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org