Nmap Announce mailing list archives

RE: Improving nmap performance

From: "Gang Xu" <gxu () wnmail att com>
Date: Fri, 30 Aug 2002 09:25:37 -0400

I have the same problem of waiting for a firewall scan to finish. When using
connection scan "-sT", we find nmap tries each port 3 times and moves to the
next port until it completes all ports. Then it repeats the same process
again in the reverse order if -r is used. Therefore, 6 SYNs are sent to each
port.

I thought about modifying nmap code to avoid the second scan and customize
the number of tries. Has anyone already done this? If so, can you share your
code with me?

thanks,

Gang Xu

-----Original Message-----
From: Lance Spitzner [mailto:lance () honeynet org]
Sent: Thursday, August 29, 2002 7:23 PM
To: nmap-hackers () insecure org
Subject: Improving nmap performance


Not sure if this is commonly known, however I wanted to share
something I've learned with nmap.  As part of my job, I often
do a great deal of scanning of firewalls, or scanning through
firewalls.  This can be VERY TIME consuming, as you get no
response for each probe, a full scan (all 65000+ ports) of a
firewall used to average me 3200 seconds.  While teaching
a class we were able to DRAMATCALLY reduce this for TCP
scans to average 840 seconds.  Using the following command line
options

  --max_rtt_timeout 50 --max-parallelism 100

By reducing rtt_timeout to 50, we DRAMATICALLY reduced the
time for scanning, however, this is when the target is only
2 hops away, you may experience dropped packets if there
are more hops.  I can say this with a high degree with confidence,
as we had 8 different systems probe all 65000+ TCP ports,
all averaging around 840-850 seconds per scan.  By changing
the rtt_timeout to 10, we got the time down to 350+, but
you are really pushing it.  Increasing the number of parrallel
scans beyond 100 seemed to have no improvement.

Unfortunatelyl, UDP still took MUCH LONGER, averaging
2000-3000 seconds perscan :-0

Just thought I would share this tidbit, for those of you
who have waited to firewall scans :)


--
Lance Spitzner
http://www.honeynet.org




--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Improving nmap performance Lance Spitzner (Aug 29)
- RE: Improving nmap performance Gang Xu (Aug 30)
- Re: Improving nmap performance Lamont Granquist (Aug 30)
- <Possible follow-ups>
- Re: Improving nmap performance Lance Spitzner (Aug 30)
  - Re: Improving nmap performance Stu Green (Aug 30)