Re: How can I let nmap scan parallely on the combination of ip:port?

[Daniel Miller <bonsaiviking () gmail com>]

Hongyi,

This idea gets brought up occasionally, but it's not something that Nmap
supports. Here's a transcript from a chat I had with someone on IRC in
December about the same thing:

rw->           anyone know a way to pass host:port in a file, like -iL, but
with ports too?
bonsaiviking>  rw-: Nmap doesn't support that. You'd have to shell-script
it to run multiple Nmaps
bonsaiviking>  to put it another way: All hosts listed get all ports listed
scanned.
rw->           yeah, was trying to avoid scripting it. how much of an
undertaking do you expect it would be to patch the code myself?
bonsaiviking>  rw-: depends how comfortable you are with C++. Right now,
the ports to be scanned are stored in a single static structure
bonsaiviking>  nmap.cc:470:struct scan_lists ports = { 0 };
rw->           i see a Target class with a PortList member, thought it
might be that easy :P
bonsaiviking>  no, that stores the results
rw->           ah
bonsaiviking>  If you turned the struct into a dynamic array of struct
scan_lists
bonsaiviking>  or not. You might get away with just one.
bonsaiviking>  and just overwrite it each time you get a new spec from the
list
bonsaiviking>  You could do that in targets.cc, in next_target
bonsaiviking>  but since ports is static to nmap.cc, you'd have to have a
function to do that.
bonsaiviking>  It ends up being pretty invasive. You're not the first
person to ask about it, but I've never gotten a good reason for wanting to
do it in the first place.
bonsaiviking>  If you have a list of hosts and ports you know are open, why
scan them?
bonsaiviking>  If you are trying to check for changes, why don't you care
about newly-opened ports (instead of newly-closed)
bonsaiviking>  in which case you'd need to scan more than just the few
ports per host.
rw->           a colleague is experimenting with distributed scans, so we
take in a master list of host:port and divy them up between the scanners
rw->           might end up just scanning the entire collection of ports
for the given hosts with -p, even if some hosts don't have that port in the
spec
rw->           it's mainly academic at this point but still fun to think
about
bonsaiviking>  In that case, performance-wise, you'd want to avoid
splitting a single host among multiple nmap instances
bonsaiviking>  Since Nmap keeps track of network quality and host
responsiveness, it's duplicated effort to scan one host from multiple places
bonsaiviking>  unless you're looking to avoid detection, in which case
you'd want as few probes from each scanner as possible,
bonsaiviking>  and you'd be using very slow timing options anyway, so
performance doesn't matter
bonsaiviking>  For the same reason, unless your scanners are in different
regions, it's usually better to just run one nmap scan at a time, unless
you're using different options for each.
bonsaiviking>  That way the single scan gets as much data about packet
drops as possible, and it doesn't compete with the other instances.
rw->           it's an attempt to avoid getting blocked/throttled by IPS
devices for the "discovery" portion of pen tests
rw->           we get better/faster complete scans when we manually split
up the hosts over a few boxes, just trying to automate the process a bit

As I mentioned there, the only solution is to use some sort of script to
arrange hosts according to the port you want to scan. Usually, your input
file will not have very many different ports, so you can usually gather a
list of hosts for each port and scan those. Alternatively, you can
accumulate all the specified ports into one argument to the -p option and
scan those ports across all hosts; this is usually not as slow as you might
think, but you should check how many different ports would be scanned this
way before scanning. As a comparison, Nmap's -F option scans 100 ports and
calls that a "fast" scan.

Dan

On Wed, Mar 11, 2015 at 4:12 AM, Hongyi Zhao <hongyi.zhao () gmail com> wrote:

> Hi all,
>
> I have a huge file include the ip:port information which I want to use
> nmap to scanning.  The issue is nmap just can read the ip from file with
> `-iL files' method.
>
> And the ports to be scanned can give in the -p switch.  In my case, the
> specific port is belong to specific ip, and if I let nmap to scan all of
> the possible ports for each ip, than it will time consuming.
>
> So, I just want to let the nmap only scan the combinations of ip:port
> given in my file with the `--min-parallelism' parameter, is this
> possible?
>
> Regards
> --
> .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/