Nmap Development mailing list archives

Re: Best timing options when scanning a large number of IPs

From: "Brandon Enright" <bmenrigh () ucsd edu>
Date: Tue, 15 Aug 2006 21:56:02 -0000 (UTC)

Erik Tews wrote:

Hi

I am going to scan a large number of ip adresses for a single open tcp
port. I am only instrested in knowing which one of them got this single
port open.

I got a fast network connection (100 Mbit to the next ip exchange) and I
am not worried if I miss some systems. If I got 90% of all hosts, which
got this port open, it would be still good.

What options should I use for nmap? I specified -T5 for very angressive
timing. What are good values for all the --min* and --max* options?

I would like to use 10 or 20 Mbit bandwidth for scanning.


If you want to achieve 20+ Mb/s you're looking at 60k+ packets a second. 
Nmap's timing just isn't well suited for this task.

You can try something like

# nmap -v -d -P0 -n -p 25 -T5 --min-rtt-timeout 5 --initial-rtt-timeout 10
--max-rtt-timeout 100 --min-hostgroup 2048 132.239.0.0/16

which works well on my low-latency network.  Notice I'm using -T5 *before*
the rest of the timing options instead of --scan-delay and --max-retries. 
IIRC there were bugs with both --scan-delay and --max-retries not being
settable that have since been fixed; T5 sets them to a reasonable level as
a workaround.  Also, don't try to set the hostgroup higher than 2048, in
my experience Nmap starts to thrash resources with more than 2048 hosts in
a group.

If you want to achieve 20+ packets/second you should look into
Unicornscan.  Unicornscan sends packets asynchronously at whatever rate
you want.  Instead of setting delay, you tell Unicornscan how many packets
to send a second.

# unicornscan -v -p -R3 -r100000 x.x.0.0/16:445

This tells Unicornscan to send 3 syn packets to each host at a rate of
100k packets a second.  If you want the speed of Unicornscan and the
features of Nmap, you can send the Unicornscan discovered hosts to Nmap as
a list with -iL.

Don't ramp up the -R option more than about 10 otherwise you'll overload
your network switching equipment and get *very* odd results back.

Regards,

Brandon


-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Best timing options when scanning a large number of IPs Erik Tews (Aug 15)
- Re: Best timing options when scanning a large number of IPs Brandon Enright (Aug 15)