Re: status line in nmap

[H D Moore <hdm () secureaustin com>]

My personal method of fast-scanning firewalled hosts:

1. Find at least one unfiltered port per host (check common ports)
2. Use hping to get average RTT time for each host
3. Take average RTT, double it, use as --max_rtt_timeout value
4. Enjoy much faster scans on firewalled hosts.

The reasoning behind it is simple, nmap needs an unfiltered port to get the 
RTT for its timing mechanisms.  Nmap also increases its internal max RTT if 
it thinks it is dropping packets.  A firewalled machine acts like a 
dead/dropping one for most of its ports, my method forces it to use the real 
RTT, at the cost of knowing an unfiltered port and avg RTT beforehand. 
Eventually I may be able to release the code for doing this, but it is smack 
dab in the middle of a ton of prorietary stuff right now and wont be easy to 
seperate (nor is it a hard concept).  F, if what I am doing is completely 
moronic, let me know. 

-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)


On Thursday 04 January 2001 04:27 am, ian.vitek () ixsecurity com wrote:
> Yo!
> We at iXsecurity have problems when pentesting firewalls. We want to know
> how long time the scan will take (with our timing switches).
> Therefor have we added a -c switch to nmap. There is still problems with
> resends (firewalled ports) but the solution below is acceptable.
> The output is two status rows updated every second:
> --------------------------------------------------------
> root@trapper:/hacktools# nmap -sS -p 1- -c -n 10.0.0.1
>
> Starting nmap V. 2.54BETA7IAN ( www.insecure.org/nmap/ )
> Tried: 25080 (0 resends)
> P/S:  3582.86 ETS:      11
>
> --------------------------------------------------------

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).