Re: scanning a /8

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 May 2012 06:19:14 -0700
Michael Right <specked () gmail com> wrote:

> Hi,
>
> Would it be faster to scan a /8 using a single nmap instance or
> splitting it into a bunch of smaller networks and running multiple
> parallel nmaps?
>
> Thanks


Hi Michael,

This is a complicated question and the answer depends a lot on what
sort of scan you're doing.

I assume in your case, if you want to scan a whole /8 you probably want
to find up hosts or locate just one or two services.  In that case, you
can tune a single Nmap process to blast packets which should outperform
more than one Nmap instance (when you factor in accuracy).

So suppose you want to scan hosts for port 80.  I'd try something like:

nmap -v -d -p 80 -Pn -n -T5 --min-hostgroup 8192 --min-parallelism 1024
- --randomize-hosts -oA big_scan 10.0.0.0/8

When you use --randomize-hosts Nmap doesn't actually randomly sort all
IPs but rather blocks of IPs much like how it scans in blocks (hosts
groups).  If you have a big global network with your /8 divided up into
a bunch of /16s or so and each routed to different parts of the world
then the random blocks Nmap uses won't be big enough to spread the scan
out evenly and you'll still be picking on one location or another.

In that case you can sort the list of IPs randomly yourself.  Here is
how I'd do that:

nmap -n -sL -oG - 10.0.0.0/24 | awk '/^Host:/ {print $2}' | sort -R | 
nmap -v -d -p 80 -Pn -n -T5 --min-hostgroup 8192 --min-parallelism 1024
- --randomize-hosts -oA big_scan -iL -


Basically the first nmap process uses -sL to print the IP list and the
the second nmap process uses -iL to read it in.  This sort -R would
take a while and use a lot of memory but I assume you have a scanning
machine that can handle it.

If you want to do a lot more than just scan a port or two (for example
if you want to use service versioning or NSE) then you will want to
divide up the scan into chunks if for no other reason than your nmap
output file(s) will be HUGE.  Handling a 20GB XML file sucks.

Other considerations to make for a scan like this include tuning up the
number of files handles, allowing TCP states to be reused, setting a
reasonable --host-timeout (-T5 defaults to 15 minutes), etc.

Also, Nmap has an undocumented option "--nogcc" which turns off the
Global Congestion Control algorithm.  Depending on network conditions,
this may help you for a scan of this magnitude.  Be careful though, it
could end up hurting the scan more than in helps.

For your kernel, consider using:

net.core.netdev_max_backlog = 16384
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
fs.file-max = 65535

Also, don't even think about trying to do this scan through a statefull
firewall (that means NAT or iptables with conntrack too!).

Regards,

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk+7r6EACgkQqaGPzAsl94LsCwCfTnQVR/okNtUr+sTw2CzLp55V
EYQAoI+/kB5WowGhBTb9Id7agSg7gImk
=4hwW
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/