Re: Advice on Fastest NMAP Scan

[xyberpix <xyberpix () xyberpix com>]

Me too,if someone's got the knowledge to code the program, then you can
bet they know how to use it.

Fyodor, yeah when's the book out, and do you need any reviewers?

xyberpix


On Thu, 2004-10-28 at 02:23, GuidoZ wrote:
> Personally, I'd trust the author to give correct advice. ;)
>
> Good to see you on here Fyodor. When do you expect the book to be due out?
>
> --
> Peace. ~G
>
>
> On Tue, 26 Oct 2004 16:05:57 -0700, Fyodor <fyodor () insecure org> wrote:
> > On Tue, Oct 26, 2004 at 09:58:50AM -0500, Mogren, Jack L. wrote:
> > > Here's what I've come up with so far.
> > >
> > > nmap -O -T4 -PE -F --osscan_limit -oX /home/security/test.xml -iL /home/security/ip_addresses.txt
> > >
> > >   Any comments or suggestions?
> >
> > First off, make sure that you are using Nmap 3.75.  Nmap 3.70 included
> > a complete port scan engine rewrite for better performance (among
> > other advantages) and then 3.75 tweaked it to be even better.  You can
> > obtain Nmap 3.75 from http://www.insecure.org/nmap .
> >
> > Since you know your network, you may be able to help Nmap by setting a
> > maximum retransmission timeout.  Are you scanning over multiple
> > continents, or just a local network?  If you can assume that responses
> > won't take more than 100ms, add --max_rtt_timeout 100 for a big speed
> > boost.  Also, use a large host group such as --min_hostgroup 128 so
> > that many hosts are scanned in parallel.  Play with the numbers a bit
> > to figure out what works best on your particular network.  You could
> > also consider a custom nmap-services file with just a couple hundred
> > of the most common TCP ports.  Even the -F option still scans more
> > than 1200 ports by default.
> >
> > I would be interested to hear how it goes.  If you find that it is too
> > slow for your needs, let me know.  I am working on a performance
> > chapter of my upcoming O'Reilly Nmap book, so I have studied several
> > such large network situations.  A class B and several class C's
> > shouldn't be any problem at all for regular scanning.  Your "entire
> > private address space" make take a while, depending on your setup.
> > Scanning 10.0.0.0/8 is 16 million IPs, so don't expect it to complete
> > during lunch.  Some of the tools that claim incredibly speeds don't
> > even handle retransmissions or other reliability requirements.
> >
> > I hope this helps,
> > Fyodor
-- 
For Security and Open Source news:
http://xyberpix.demon.co.uk

Attachment: signature.asc
Description: This is a digitally signed message part