Re: faster scans? (nmap)

[Yann Berthier <Yann.Berthier () hsc fr>]

On Mon, 03 Jun 2002, Steve Maks wrote:

   [context lost thanks to top-posting :p]

> Take a look at the rtt options in nmap (min/max/initial_rtt_timeout), it's
> pretty much required to modify them when you are scanning hosts with -P0.
> Depending on your connection and the target's connection, you can greatly
> improve the scan speed.

   Yes, but one has to keep in mind it depends a lot of the network
   lossage: we have seen very unreliable results with nmap - on
   unreliable networks that is, but when doing a pentest, we can't
   refuse customers because they have bad connectivity, can we ? :) 
   
   So back to the subject: scanning large networks is a real problem as
   a pentester. It can take several nmap runs to adjust the rtt
   according to the lossage, and to have the more accurate snapshot of
   the tested network. And then we need to:

   . scan again with fixed source ports
   . scan once more while playing with the ttl

   All of this is very time consuming, and there is no handy solution I
   know. I think we need new paradigms here (yes, no less), but I'm sure
   some of you have already thought about this ...
    
   <sci-fi on>

   Imagine now an ipv6 world where /48 networks at least are the norm
   ...

   </sci-fi on> 

   - yann.

-- 
   Yann.Berthier () hsc fr -*- HSC -*- http://www.hsc.fr/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/