Nmap Development mailing list archives
Re: Fwd: Re: tcpwrapper hassle
From: "securityfocus () truesec de" <securityfocus () truesec de>
Date: Mon, 30 Nov 2009 14:37:03 +0100 (CET)
Hi Richard, I realize the ambivalence. I've learned that "--min-hostgroup/max-hostgroup" might make different sense dependent on what you scan, TCP or UDP and which results do you expect. In my case not knowing the network, expect misconfiguration, big results etc. and scanning UDP it might be of advance to use --min-hostgroup ~50-100, like Fyodor and other guys recommend; you don't expect that many open ports, scan in parallel as much as you can, etc. When scanning TCP it might make sense to use --max-hostgroup ~20 so if a tcpwrapped-monster comes up you won't wait too long for the first results and you will be able to save them to the harddisk. You know sitting there and starring at the screen while nmap was counting up the open TCP ports from ~6000 up to 65535 made me wishing more interactivity with nmap. Like "Press n to skip to the next host and save the current host to the list named noisy_hosts.txt to scan them later or from a different machine...". Is that a legitimate one? Regards, Edin
-------- Original-Nachricht -------- Datum: Mon, 30 Nov 2009 13:55:13 +0100 Von: Richard Sammet <richard.sammet () googlemail com> An: Edin Dizdarevic <edind () gmx de> CC: nmap-dev () insecure org Betreff: Re: tcpwrapper hassle Hi Edin, you should have look at the "--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes" option. By setting the hostgroup to a maximum of e.g. 16, nmap will only scan 16 hosts in parallel and after done so it will save the results for those 16 hosts to the log before going on to scan the next 16 hosts. This way you are not going to lose that much result data in case of failure... You should also keep in mind that speeding up a scan will cause you miss some open ports/services. especially if you decide to reduce the timeout values... So its really decision between speed an accuracy... Greetings, Richard On Mon, Nov 30, 2009 at 8:00 AM, Edin Dizdarevic <edind () gmx de> wrote:Hello list, what I experienced recently was a huge flat ground /16 network with many nodes using tcpwrapper. Some of them were simply showing almost all ports open which just took a lot, I mean _really_ lots of time to scan. First of all I did not expect so many nodes the customer neither - and then (before writing down the scan(!)) nmap crashed a few times consuming 2GB ram. Is there any other, smarter approach than it was mine - I assume there is - to cope with such stuff? The facts/prerequisites for the job were: * Sensitive environment, no aggressive scans allowed but T4 was fine * /16 Network, unknown number of nodes (it came out 1500) * Full TCP and UDP scan with service and OS recognition required * Many systems showing almost all TCP ports open (tcpwrapped) The hints I found in the nmap book about speeding up TCP and UDP scans were extremely helpful but in this case it did not help me that much at the end of the day. (But nice book... ;-)) Regards, Edin _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser
[data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAADsElEQVR4n K2VTW9VVRSGn33OPgWpYLARbKWhQlCHTogoSkjEkQwclEQcNJEwlfgD/AM6NBo1xjhx5LyJ0cYEDHGkJ qhtBGKUpm3SFii3vb2956wPB/t+9raEgSs52fuus89613rftdcNH8/c9q9++oe/Vzb5P+3McyNcfm2Cc Pj9af9w6gwjTwzvethx3Bx3x8xwd1wNM8dMcTNUHTfFLPnX6nVmZpeIYwf3cWD/PhbrvlPkblAzVFurK S6GmmGqqComaS+qmBoTI0Ncu3mXuGvWnrJ+ZSxweDgnkHf8ndVTdbiT3M7cQp2Z31dRTecHAfqydp4ej hwazh6Zezfnu98E1WIQwB3crEuJ2Y45PBTAQUVR9X4At66AppoEVO1Q8sgAOKJJjw6Am6OquDmvHskZ3 R87gW+vlHz98zpmiqphkkRVbQtsfPTOC30lJKFbFTgp83bWh7Zx/uX1B6w3hI3NkkZTqEpBRDBRzG2AQ HcwcYwEkOGkTERREbLQ/8HxJwuW7zdYrzfZ2iopy4qqEspKaDYravVm33k1R91Q69FA1VBRzFIVvXbx5 AgXT44A8MWP81yfu0utIR2aVK3vfCnGrcUNxp8a7gKYKiLCvY2SUvo/aNtnM3e49ucK9S3p0aDdaT0UA VsKi2tVi6IWwNL9JvdqTdihaz79/l+u/rHMxmaJVMLkS2OoKKLWacdeE3IsSxctc2D5Qcl6vUlVVgNt+ fkPPcFFmTw1xruvT7SCd7nuVhDQvECzJH90h0azRKoKFRkAmP5lKTWAGRdefoZL554FQNUxB92WvYeA5 UN4PtSqwB2phKqsqMpBgAunRhFR3j49zuU3jnX8k6fHEQKXzh1jbmGDuYU6s4t1rt6socUeLLZHhYO2A HSHmzt19ihTZ48O8Hzl/AmunD/BjTvrvPfNX3hWsNpwJCvwYm+ngug4UilSCSq6k8YPtxDwfA+WRawIW FbgscDiULcCEaWqBFOlrLazurupOSHLqGnEKJAY8TwBEHumqUirAjNm52vEPPRV4p01XXMPAQhUBjcWm 9QZwijwokgAeYHlHYA06KR1cT6ZvoV56pDUJQEjw0KeaMgj1hPEY4vz2A4eW0/e1qA7KtQdsxTYAG0H3 iG4xyK1Y+xm7XmEPOJZDiENzLi2WZHngeOjj2Pe+sMg4GRYyLAsx7ME4FnsyTD9pr0PEc8zPGRAwKXBk YOPEd96cZRvf11g9MDe7e3R4Z4Q+vyEnn3P4t0XzK/W+ODN5/kPfRLewAJVEQ0AAAAASUVORK5CYII%3 D] _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- tcpwrapper hassle Edin Dizdarevic (Nov 30)
- Re: tcpwrapper hassle Richard Sammet (Nov 30)
- <Possible follow-ups>
- Re: Fwd: Re: tcpwrapper hassle securityfocus () truesec de (Nov 30)