Nmap Development mailing list archives
Re: scanning a /8
From: Michael Right <specked () gmail com>
Date: Tue, 22 May 2012 09:55:21 -0700
Hi Brandon, Thanks for the detailed reply! On Tue, May 22, 2012 at 8:24 AM, Brandon Enright <bmenrigh () ucsd edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 22 May 2012 06:19:14 -0700 Michael Right <specked () gmail com> wrote:Hi, Would it be faster to scan a /8 using a single nmap instance or splitting it into a bunch of smaller networks and running multiple parallel nmaps? ThanksHi Michael, This is a complicated question and the answer depends a lot on what sort of scan you're doing. I assume in your case, if you want to scan a whole /8 you probably want to find up hosts or locate just one or two services. In that case, you can tune a single Nmap process to blast packets which should outperform more than one Nmap instance (when you factor in accuracy). So suppose you want to scan hosts for port 80. I'd try something like: nmap -v -d -p 80 -Pn -n -T5 --min-hostgroup 8192 --min-parallelism 1024 - --randomize-hosts -oA big_scan 10.0.0.0/8 When you use --randomize-hosts Nmap doesn't actually randomly sort all IPs but rather blocks of IPs much like how it scans in blocks (hosts groups). If you have a big global network with your /8 divided up into a bunch of /16s or so and each routed to different parts of the world then the random blocks Nmap uses won't be big enough to spread the scan out evenly and you'll still be picking on one location or another. In that case you can sort the list of IPs randomly yourself. Here is how I'd do that: nmap -n -sL -oG - 10.0.0.0/24 | awk '/^Host:/ {print $2}' | sort -R | nmap -v -d -p 80 -Pn -n -T5 --min-hostgroup 8192 --min-parallelism 1024 - --randomize-hosts -oA big_scan -iL - Basically the first nmap process uses -sL to print the IP list and the the second nmap process uses -iL to read it in. This sort -R would take a while and use a lot of memory but I assume you have a scanning machine that can handle it. If you want to do a lot more than just scan a port or two (for example if you want to use service versioning or NSE) then you will want to divide up the scan into chunks if for no other reason than your nmap output file(s) will be HUGE. Handling a 20GB XML file sucks. Other considerations to make for a scan like this include tuning up the number of files handles, allowing TCP states to be reused, setting a reasonable --host-timeout (-T5 defaults to 15 minutes), etc. Also, Nmap has an undocumented option "--nogcc" which turns off the Global Congestion Control algorithm. Depending on network conditions, this may help you for a scan of this magnitude. Be careful though, it could end up hurting the scan more than in helps. For your kernel, consider using: net.core.netdev_max_backlog = 16384 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 fs.file-max = 65535 Also, don't even think about trying to do this scan through a statefull firewall (that means NAT or iptables with conntrack too!). Regards, Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk+7r6EACgkQqaGPzAsl94LsCwCfTnQVR/okNtUr+sTw2CzLp55V EYQAoI+/kB5WowGhBTb9Id7agSg7gImk =4hwW -----END PGP SIGNATURE-----
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- scanning a /8 Michael Right (May 22)
- Re: scanning a /8 Brandon Enright (May 22)
- Re: scanning a /8 Michael Right (May 22)
- Re: scanning a /8 Brandon Enright (May 22)