Re: Nmap scanning speed

From: Phil Frederick (flosofl@gmail.com)
Date: Sun Apr 30 2006 - 21:46:10 EDT


You may want to scan in parallel. As many machines as you can get.
Otherwise this will take a while. We have a class A (10.x.x.x) split
into several smaller subnets (300,000+ nodes total) that we scan every
week. We handle it by using 40+ dedicated scanning machines that each
handle their own section. I'll say it again, I highly recommend using
multiple scanners.

Don't use stealth mode. You'll never finish. Also, alert your
firewall team to allow the scanning systems through to the other
networks. Alert whomever handles the IDS config. Many, many alarms
will be triggered by the scan.

An huge time saver would be a list of valid IPs (so you don't have to
hit the whole block of addresses). My experience with our stuff is
that we use at most 35-40% of the available hosts in the ranges we
have defined. You may want to do a simple discovery first to generate
an "addresses to scan" DB. If you are only doing this once a month,
run the discovery in 1st half of the month and the port scan in the
second.

Scripting is your friend. Perl or python (hell, WMI works) will help
split and combine your results.

1-1024? Are you scanning for legitimate services only? because
zombies, netcat, BO, etc... will all be higher in the range (i.e. BO
will be 31337 without modification) You may want to use "-p
1-1024,<evil tool port>,<evil tool port>,<evil tool port>,<evil tool
port>,etc.." when you invoke nmap if you don't want to scan the
entire range.

-Phil
On 28 Apr 2006 20:10:29 -0000, chrismc@gmail.com <chrismc@gmail.com> wrote:
> Hi,
>
>
> We have been asked to scan a class b network for port range 1 - 1024 every month.
>
> The network is across 4 hops of T1 links. icmp is filtered at the edge router and hence prevent us form using icmp to detect live systems.
>
>
> does anyone attempted a scan on such a large scane and can provide us with information regarding the time nmap could take to scan such an environmen and what should be the ideal settings?
>
>
> Appreciate any response to this.
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:54 EDT