Content

Nmap For Speed Freaks

Having recently spent some time working with Nmap for an upcoming course, I noticed that there is room for speed improvements in many of our Nmap commands. For example, the following command:


nmap -A -p 80 192.168.1.0/24

can be run in a similar manner, but in half the time. The goal of the above command is to gather the service fingerprint of all web servers in your environment. This is valuable information, and especially useful when looking for “interesting” services running on port 80, like botnet controllers. So, as a speed test lets run the above command against the most port scanned system in the world:


# nmap -A -p 80 scanme.insecure.org
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:41 EST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 14.204 seconds

The first command option “-A” tells Nmap to execute an OS fingerprint in addition to a service fingerprint for all ports specified. In this case we are specifying port 80 with the “-p 80” option. Since we only told Nmap to detect one port, it will only ever find one port to be open, hence the complaint from the OS fingerprinting engine “OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port”. To cut the scan time in half, use the following command:


# nmap -sV -T4 -n -p 80 scanme.insecure.org
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:54 EST
Interesting ports on 205.217.153.62:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))
Nmap finished: 1 IP address (1 host up) scanned in 6.948 seconds

The first change we made was replace the “-A” with “-sV”. This tells Nmap to only do service fingerprinting and not OS fingerprinting. We then added the “-T4” command option, which tells Nmap to use “aggressive” timing options. The “-T4” is really like a macro for other, more advanced, Nmap command line options such as “–max-rtt-timeout” which refers to how much time Nmap will wait for responses. The “-T4” is a good place to start to speed up a scan. The “-n” flag tells Nmap to ignore host name resolution (even though it will do this much faster since 3.97-Shmoo). We can see that by making these three small changes our scan time went from “14.204 seconds” to just “6.948 seconds”. This is a HUGE time saving when attempting to scan a class C or class B network.
Happy portscanning!
NOTE: For those in the New England area I will be teaching courses on Nmap and Nessus that will cover the concepts above and more. For more information drop me a note, paul /at/ securityweekly.com.
Cheers,
Paul

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.