Re: nmap scanning techniques and execution privileges

[Brahim Sakka <brahim.sakka () gmail com>]

2011/12/14, Guillaume Rousse <guillomovitch () gmail com>:
> Hello list.
>
> I'm using nmap to scan large IP ranges (B classes) this way:
> nmap -sV -T5 -F -oX -
>
> When advised that some of the servers were missing in the report, I read
> the manual, and found than default scanning technique when run without
> raw socket priveleges was to use TCP connect scan, instead of TCP SYN
> scan, which is considered a better option. So I switched to root
> privileges instead:
> sudo nmap -sV -T5 -F -oX -
>
> But now I discovered then some other servers were missing in the new
> report. After investigating the issue, I found than raw socket
> privileges allow to use ICMP to speed up the scan by skipping
> non-responsing hosts, and the missing host were those not responding to
> ICMP echo probes. So I attempted to disable this optimisation:
> sudo nmap -sV -Pn -T5 -F -oX -
>
> But now scanning a class B range needs more than 12 hours to complete :(
>
> So, how does the first nmap command, run as standard user without ICMP
> optimisation, complete in just one hour, while the same command run as
> root is more than 10 times slower ?
You said it. The "enhanced" version of the command will scan every
single host, while the first/second one only scanned these hosts that
replied to ICMP requests. You do the math :-)
> Also, if I can't have a magic set of options to discover all the running
> servers in a single run, is there any way to merge results from two
> different scans ?
Try importing both results in Zenmap.
> --
> BOFH excuse #353:
>
> Second-system effect.
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/