RE: Scanning - anyone got ball park timings?

From: Pete Herzog (pete@isecom.org)
Date: Thu May 29 2003 - 16:55:03 EDT


Rule of thumb for security testing enumeration-- straight out of OSSTMM 2.5
RED--

(warning - this is a RULE OF THUMB which means your mileage may vary but
it's pretty accurate to start planning or baseline)

Based on blackbox enumeration and port scanning (ICMP all request types,
TCP/UDP 64k ports, various protocol application and network level types
based on ICMP response ACLs, and various enumeration techniques as outlined
in the OSSTMM). This should be about equivalent with running a vuln scanner
like ISS with "Scan if Ping Fails" option running.

48 hours for each /24 at 12 hops of 64Kb bandwidth. Add 1 hour per /24 for
every hop greater than 12. For less than 12 hops consider flood control
timing to balance rule or else calculations are unreliable. Divide by
(digital and upstream/downstream balance) bandwidth because increasing
bandwidth decreases time proportionally where smallest bandwidth is maximum
calculated size.

Example:

Scanning 3 /24 networks at 18 hops with a 256Kb line

Now assuming my math isn't hindered by lack of sleep:
48 hours per /24 = 144 hours
add 1 hour per hop per /24 over 12 hops = 144 + 6 * 3 = 162
divide for bandwidth = /(256 / 64) = /4
total = 162 / 4 = 40.5 hours

Less than 2 days for enumerating 3 /24s is about right. Anyways, it works
pretty well for me.

If 16 hours for vuln scans seems long for you then I recommend you take
shortcuts and enumerate once and make an IP list of systems and commonly
found ports to feed into the scanner. Actually, it sounds more like an
internal scan - or just a router or three away from you. Even then, a good
firewall will slow a scan down considerably.

You just need to feed me more info for more accuracy.

Sincerely,
-pete.

> -----Original Message-----
> From: Mark Phillips [mailto:mark@probably.co.uk]
> Sent: Thursday, May 29, 2003 15:27 PM
> To: pen-test@securityfocus.com
> Subject: Scanning - anyone got ball park timings?
>
>
> Hi,
>
> What are peoples experiences of time scales when scanning ranges of hosts?
> OK, so I know that's a "how long is a piece of string", but if people can
> say what sort of times they're getting for a given size of IP range and
> given type of scan, that would be helpful.
>
> I've been running a "SANS 20" policy scan from ISS Internet Scanner 7,
> across the Internet, and am seeing timings like 16 hours for 1700
> addresses found. Is this realistic? Is this quick or slow? If it's slow,
> do people have any hints and tips about how to speed up the whole process?
>
> Any pointers muchos appreciated.
>
> Cheers,
>
> --Mark
>
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT