Having recently spent some time working with Nmap for an upcoming course, I noticed that there is room for speed improvements in many of our Nmap commands. For example, the following command:
nmap -A -p 80 192.168.1.0/24
can be run in a similar manner, but in half the time. The goal of the above command is to gather the service fingerprint of all web servers in your environment. This is valuable information, and especially useful when looking for “interesting” services running on port 80, like botnet controllers. So, as a speed test lets run the above command against the most port scanned system in the world:
# nmap -A -p 80 scanme.insecure.org
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:41 EST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 14.204 seconds
The first command option “-A” tells Nmap to execute an OS fingerprint in addition to a service fingerprint for all ports specified. In this case we are specifying port 80 with the “-p 80” option. Since we only told Nmap to detect one port, it will only ever find one port to be open, hence the complaint from the OS fingerprinting engine “OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port”. To cut the scan time in half, use the following command:
# nmap -sV -T4 -n -p 80 scanme.insecure.org
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:54 EST
Interesting ports on 205.217.153.62:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))
Nmap finished: 1 IP address (1 host up) scanned in 6.948 seconds
The first change we made was replace the “-A” with “-sV”. This tells Nmap to only do service fingerprinting and not OS fingerprinting. We then added the “-T4” command option, which tells Nmap to use “aggressive” timing options. The “-T4” is really like a macro for other, more advanced, Nmap command line options such as “–max-rtt-timeout” which refers to how much time Nmap will wait for responses. The “-T4” is a good place to start to speed up a scan. The “-n” flag tells Nmap to ignore host name resolution (even though it will do this much faster since 3.97-Shmoo). We can see that by making these three small changes our scan time went from “14.204 seconds” to just “6.948 seconds”. This is a HUGE time saving when attempting to scan a class C or class B network.
Happy portscanning!
NOTE: For those in the New England area I will be teaching courses on Nmap and Nessus that will cover the concepts above and more. For more information drop me a note, paul /at/ securityweekly.com.
Cheers,
Paul