Re: Net block scanning

["Michael" <michael () 0x90 ca>]

Robert,

You'll want to consider three things before you do this scan:
 - Your ISP
 - Bandwidth
 - Keeping the scan running fast

First off, you want to make sure that your ISP is the appropriate venue
for this type of scanning. Many consumer ISP's will detect and block port
scanning of such a large range. On the other hand, if you're scanning from
a colo, you shouldn't run into any issues. Anyone who runs a server and
checks their logs will know that portscans are a very common occurrence.

One advantage Zmap has over Nmap is you can specify bandwidth directly. In
Nmap your best option is is to specify a max packet per second rate. A Syn
packet is 44 bytes, or 352 bits, I recommend getting your upload speed
from a site like speed.io or speedof.me and calculating:
UploadSpeedInMbps*1000000/352
Then take 1% of that number for MINRATE and 65% of that number for
MAXRATE. Or whatever values you are comfortable with, so long as your
maxrate is less than your effective upstream bandwidth.

Finally, nmap isn't turned by default to scan such large ranges, I
recommend a command line as follows, based on the experiences of Nmap
contributor Brandon Enright:
Nmap -sS -sV -O -p PORTLIST -d -PN -n -T4 --min-hostgroup 256
--minparallelism 64 -oA OUTPUTFILE --min-rate MINRATE --max-rate MAXRATE
IPRANGE/16

A few things to note here, -n and -PN will reduce the bandwidth that you
use. If you want a faster scan you could increase min-hostgroup and
min-parallelism, but keep them in a 4:1 ratio. By default Nmap does a
pretty good job at dynamically deciding how fast it should send packets,
but you can run into trouble if your scan includes a lot of
slow/unresponsive hosts, nmap may mistakenly think that your connection is
slow. This is why I specify min-rate, I find it helps a scan run fast.

Hope that helps,
M

On Sun, December 15, 2013 4:12 am, Robin Cernin wrote:
> Hi devs, Fyodor and all volunteers,
>
> question about network block scans. I got approval from IPs owner to
> perform scan that will identify which hosts are live in there network
> and identify domain, ssh, smtp, ms-term-services, http, https and grab
> their versions so we can identify possible exposed outofdate service
> so we can safely find and patch those. I do not want to do anything
> unethical.
>
> Right now its total 65 thousand of IPs.
> I do not want to lift much eyebrows on this. Would anyone give me
> pointers like bandwith, packets per seconds, which scan would give
> accurate results. Should that be also discussed with the ISP on my
> side +  the ISP on the other end so I won't melt their switches?
>
> Also question is Nmap fast enough or shall I use something like Zmap for
> this.
>
> Thank you in advanced,
> Best Regards
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/