RE: Finding web servers with nmap

[tom.farrar () it-ps com]

#nmap -v -v -sT -P0 -p 80 -oG your.log -iL x.x.0-255.0-255

That is quite a quick scan, for results see below:

[With -sS]
[root@snort-1 root]# nmap -v -v -sS -P0 -p 80 www.it-ps.com
Nmap finished: 1 IP address (1 host up) scanned in !!-->0.610 seconds<--!!
               Raw packets sent: 2 (82B) | Rcvd: 2 (88B)

[With -sT]
[root@snort-1 root]# nmap -v -v -sT -P0 -p 80 www.it-ps.com
Nmap finished: 1 IP address (1 host up) scanned in !!-->0.055 seconds<--!!

Hope that helps,

Regards,

Tom


-----Original Message-----
From: Denis [mailto:da_shestakov () myrealbox com] 
Sent: 30 November 2005 17:01
To: security-basics () securityfocus com
Subject: Finding web servers with nmap

Hi,

I have a task to "relatively quickly" find all web servers (all hosts
with open port 80) in some particular network. It seems it can be done
with the nmap program. Could you advice me concerning the best options
for running nmap to accomplish this task? In particular, does the
following command do it right?
nmap -v -sS -PS80 -PA80 -p 80 -oG my.log -iL x.x.0-255.0-255
I am asking that because I have a concern that the above command may
miss some hosts. However, it works faster than the command with "-P0
-p 80" ... 

-- 
BR,
  Denis