Penetration Testing mailing list archives
Re: Nmap scanning speed
From: robert () dyadsecurity com
Date: Mon, 14 Nov 2005 22:44:49 -0800
From: Trent () yahoo co uk [mailto:Trent () yahoo co uk] Sent: Thursday, November 10, 2005 12:13 PM To: pen-test () securityfocus com Subject: Nmap scanning speed I have to scan a large network. is it possible to get good port scanning speed of over 700 ports per second from nmap?
Keep in mind that scanning speed (software tool aside) is a tricky thing to get right on a large network. You have to know the maximum available bandwidth from the networks you're scanning from, and the remote networks that you are scanning. You also have to account for the fact that most networks are optimized for stable communication throughput... so just because you see a fat pipe on both sides doesn't mean that they are going to be able to take a large number of relatively tiny packets per second. Add to this the mess of these IDS/IPS/Firewall devices that give up the ghost on a high rate of state changes and you're left with either meticulously mapping out the safe/accurate scanning rates on the individual network segments, or choosing a modest rate to test everything at. If you just go "really fast", you'll either be left with inaccurate results, or DoSing the networks, or both. We've killed .. as in fried switch ports before (we did this at our black hat class in vegas this past summer). We've also taken out firewalls (high end really expensive boxes) at relatively low packet per second rates. When testing these large networks it's best to start with a conservative rate on a segement and work up the speed, and increase the network segment size. Validate the results, and then move on the the full blown scan. The problem with tools like nmap and scanrand in these situations is that you can't really dial in the pps to send at. With nmap you get pretty consistant numbers if you use the same release/hw for all of your scans. With scanrand if you specify too high of a rate, you will experience packet loss on the sender. With unicornscan we tried very hard to provide timing that gets close to the rate asked for... ie if you ask for 1,000 pps you'll get ~990 pps, etc. The fastest we've accurately scaned at with stock hardware was over 100,000 pps from a single card. We're still looking at custom network hardware to go higher than that (I really want to see 1,000,000 pps for IPv6 networks). But with our distributed scanning, using multiple senders and receivers as one logical TCP/IP stack, the remote network is going to be your limit, not the rate of speed you can get from your scanning system. Anyhow, we're getting ready to release an update to unicornscan. If any of you have a large network to play with and don't mind providing feedback, hit me up and I'll help you get the pre-release working. The biggest feature differences that you'll see in the next release are being able to do the distributed scanning that we demo'd at blackhat/defcon + being able to perform TCP based trigger/response testing. IE.. instead of having to portscan on the 1st sweep, and then banner grabbing on the open ports, and then amaping the the open ports, you can send dynamic or static TCP/UDP payloads all on the 1st sweep. For more info on that, see the unicornscan.org website. The defcon talk slides are there to download. Feel free to ask more large scale scanning questions. We have had good success doing that with unicornscan. Also, a quick plug for ISECOM's OPST/OPSA classes. To my knowlege they're the only group teaching unicornscan in the curriculum worldwide. I helped write those slides. If you're looking for a class to go to in the next few months, that might be a good one to consider. I'm teaching an OPST class in Feb here in Southern California, but they are available world-wide through the ISECOM training network. Cheers, and happy testing, Robert -- Robert E. Lee CIO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Nmap scanning speed Trent (Nov 10)
- Re: Nmap scanning speed Justin (Nov 11)
- Re: Nmap scanning speed ilaiy (Nov 11)
- Re: Nmap scanning speed Chris Moody (Nov 21)
- RE: Nmap scanning speed Tate Hansen (Nov 13)
- Re: Nmap scanning speed robert (Nov 15)
- RE: Nmap scanning speed Tony Carter (Nov 15)
- <Possible follow-ups>
- Re: Nmap scanning speed annika2002 (Nov 14)
- Re: Nmap scanning speed jgervacio (Nov 15)
- RE: Nmap scanning speed Chris Fahey (Nov 21)
- Re: Re: Nmap scanning speed tarunthenut (Nov 25)