Re: nmap scanning techniques and execution privileges

[David Fifield <david () bamsoftware com>]

On Wed, Dec 14, 2011 at 02:19:37PM +0100, Guillaume Rousse wrote:
> Hello list.
>
> I'm using nmap to scan large IP ranges (B classes) this way:
> nmap -sV -T5 -F -oX -
>
> When advised that some of the servers were missing in the report, I
> read the manual, and found than default scanning technique when run
> without raw socket priveleges was to use TCP connect scan, instead
> of TCP SYN scan, which is considered a better option. So I switched
> to root privileges instead:
> sudo nmap -sV -T5 -F -oX -
>
> But now I discovered then some other servers were missing in the new
> report. After investigating the issue, I found than raw socket
> privileges allow to use ICMP to speed up the scan by skipping
> non-responsing hosts, and the missing host were those not responding
> to ICMP echo probes. So I attempted to disable this optimisation:
> sudo nmap -sV -Pn -T5 -F -oX -
>
> But now scanning a class B range needs more than 12 hours to complete :(

ICMP echo is just one of the host discovery probes that Nmap uses. -Pn
turns off host discovery completely, making every host appear to be up.
What you want instead, if you want to emulate the TCP connect ping, is
-PS80,443.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/