Penetration Testing mailing list archives
Re: faster scans? (nmap)
From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Tue, 04 Jun 2002 08:49:30 +0200
wirepair wrote:
I'm sure most of you at some point in time need to scan class c after class c for hosts responding (most likely using nmap). [...]
so I was wondering if any of you have any tips on speeding up the process and not loosing reliablity. Here's the actual syntax nmap -sT -v -n -P0 -p 1- ip.ip.ip.ip-ip.
If you're doing host discovery -- i.e. all you want to get is a list of confirmed IP addresses -- I think you should split up the job more, to avoid doing extended port scans of hosts you already know to be there. In general: 1) Ping broadcast and network addresses (NMAP). Likely to bag you more than one response per packet sent 2) Ping remaining addresses (NMAP) 3) NetBIOS name enumeration on remaining addresses (I forget - ADMsmb? NAT? some Samba utility?) Likely to bag you most Win/Samba systems. I think there may be broadcast possibilities here, but I don't know any tools that use them. 4) portscan one at a time: 21, 22, 25, 80, 443 and other known and fairly *likely* TCP ports for remaining addresses. (NMAP) (See Open-Source Security Testing Methodology Manual for more ideas at http://www.ideahamster.org.) A bit of scripting is, of course, required to remove found addresses from the list of targets before it's used in the next step. As for UDP scanning ... I'm not sure. If you get a positive response (i.e. port unreachable) you can trust the answer, but personally I would not interpret the absense of a response in any way. Again, the probes can be ordered after probability: NetBIOS ports, DNS, NTP, isakmp, etc... It's not really until you get to the end of the list of discovery methods that something as general as -p1- makes sense. And even then, I'd do it in blocks of 1024 ports at a time. -- Anders Thulin anders.thulin () kiconsulting se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Matt Selsky (Jun 03)
- RE: faster scans? (nmap) Ozan Gonenc (Jun 03)
- Re: faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Andreas Junestam (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)
- Re: faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Michael Starr (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: How to portscan a Class B effectively batz (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: faster scans? (nmap) Anders Thulin (Jun 04)
- <Possible follow-ups>
- Re: faster scans? (nmap) miguel . dilaj (Jun 03)
- RE: faster scans? (nmap) Steve Maks (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- RE: faster scans? (nmap) JLETOUX (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)