Nmap Development mailing list archives
Re: Best timing options when scanning a large number of IPs
From: "Brandon Enright" <bmenrigh () ucsd edu>
Date: Tue, 15 Aug 2006 21:56:02 -0000 (UTC)
Erik Tews wrote:
Hi I am going to scan a large number of ip adresses for a single open tcp port. I am only instrested in knowing which one of them got this single port open. I got a fast network connection (100 Mbit to the next ip exchange) and I am not worried if I miss some systems. If I got 90% of all hosts, which got this port open, it would be still good. What options should I use for nmap? I specified -T5 for very angressive timing. What are good values for all the --min* and --max* options? I would like to use 10 or 20 Mbit bandwidth for scanning.
If you want to achieve 20+ Mb/s you're looking at 60k+ packets a second. Nmap's timing just isn't well suited for this task. You can try something like # nmap -v -d -P0 -n -p 25 -T5 --min-rtt-timeout 5 --initial-rtt-timeout 10 --max-rtt-timeout 100 --min-hostgroup 2048 132.239.0.0/16 which works well on my low-latency network. Notice I'm using -T5 *before* the rest of the timing options instead of --scan-delay and --max-retries. IIRC there were bugs with both --scan-delay and --max-retries not being settable that have since been fixed; T5 sets them to a reasonable level as a workaround. Also, don't try to set the hostgroup higher than 2048, in my experience Nmap starts to thrash resources with more than 2048 hosts in a group. If you want to achieve 20+ packets/second you should look into Unicornscan. Unicornscan sends packets asynchronously at whatever rate you want. Instead of setting delay, you tell Unicornscan how many packets to send a second. # unicornscan -v -p -R3 -r100000 x.x.0.0/16:445 This tells Unicornscan to send 3 syn packets to each host at a rate of 100k packets a second. If you want the speed of Unicornscan and the features of Nmap, you can send the Unicornscan discovered hosts to Nmap as a list with -iL. Don't ramp up the -R option more than about 10 otherwise you'll overload your network switching equipment and get *very* odd results back. Regards, Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Best timing options when scanning a large number of IPs Erik Tews (Aug 15)
- Re: Best timing options when scanning a large number of IPs Brandon Enright (Aug 15)