Nmap Development mailing list archives
Re: Net block scanning
From: "Michael" <michael () 0x90 ca>
Date: Sun, 15 Dec 2013 09:26:32 -0500
Robert, You'll want to consider three things before you do this scan: - Your ISP - Bandwidth - Keeping the scan running fast First off, you want to make sure that your ISP is the appropriate venue for this type of scanning. Many consumer ISP's will detect and block port scanning of such a large range. On the other hand, if you're scanning from a colo, you shouldn't run into any issues. Anyone who runs a server and checks their logs will know that portscans are a very common occurrence. One advantage Zmap has over Nmap is you can specify bandwidth directly. In Nmap your best option is is to specify a max packet per second rate. A Syn packet is 44 bytes, or 352 bits, I recommend getting your upload speed from a site like speed.io or speedof.me and calculating: UploadSpeedInMbps*1000000/352 Then take 1% of that number for MINRATE and 65% of that number for MAXRATE. Or whatever values you are comfortable with, so long as your maxrate is less than your effective upstream bandwidth. Finally, nmap isn't turned by default to scan such large ranges, I recommend a command line as follows, based on the experiences of Nmap contributor Brandon Enright: Nmap -sS -sV -O -p PORTLIST -d -PN -n -T4 --min-hostgroup 256 --minparallelism 64 -oA OUTPUTFILE --min-rate MINRATE --max-rate MAXRATE IPRANGE/16 A few things to note here, -n and -PN will reduce the bandwidth that you use. If you want a faster scan you could increase min-hostgroup and min-parallelism, but keep them in a 4:1 ratio. By default Nmap does a pretty good job at dynamically deciding how fast it should send packets, but you can run into trouble if your scan includes a lot of slow/unresponsive hosts, nmap may mistakenly think that your connection is slow. This is why I specify min-rate, I find it helps a scan run fast. Hope that helps, M On Sun, December 15, 2013 4:12 am, Robin Cernin wrote:
Hi devs, Fyodor and all volunteers, question about network block scans. I got approval from IPs owner to perform scan that will identify which hosts are live in there network and identify domain, ssh, smtp, ms-term-services, http, https and grab their versions so we can identify possible exposed outofdate service so we can safely find and patch those. I do not want to do anything unethical. Right now its total 65 thousand of IPs. I do not want to lift much eyebrows on this. Would anyone give me pointers like bandwith, packets per seconds, which scan would give accurate results. Should that be also discussed with the ISP on my side + the ISP on the other end so I won't melt their switches? Also question is Nmap fast enough or shall I use something like Zmap for this. Thank you in advanced, Best Regards _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Net block scanning Robin Cernin (Dec 15)
- Re: Net block scanning Michael (Dec 15)
- <Possible follow-ups>
- Net block scanning Robin Cernin (Dec 15)