Nmap Development mailing list archives
Re: nmap scanning techniques and execution privileges
From: David Fifield <david () bamsoftware com>
Date: Sun, 8 Jan 2012 22:42:30 -0800
On Wed, Dec 14, 2011 at 02:19:37PM +0100, Guillaume Rousse wrote:
Hello list. I'm using nmap to scan large IP ranges (B classes) this way: nmap -sV -T5 -F -oX - When advised that some of the servers were missing in the report, I read the manual, and found than default scanning technique when run without raw socket priveleges was to use TCP connect scan, instead of TCP SYN scan, which is considered a better option. So I switched to root privileges instead: sudo nmap -sV -T5 -F -oX - But now I discovered then some other servers were missing in the new report. After investigating the issue, I found than raw socket privileges allow to use ICMP to speed up the scan by skipping non-responsing hosts, and the missing host were those not responding to ICMP echo probes. So I attempted to disable this optimisation: sudo nmap -sV -Pn -T5 -F -oX - But now scanning a class B range needs more than 12 hours to complete :(
ICMP echo is just one of the host discovery probes that Nmap uses. -Pn turns off host discovery completely, making every host appear to be up. What you want instead, if you want to emulate the TCP connect ping, is -PS80,443. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: nmap scanning techniques and execution privileges David Fifield (Jan 08)