speedy NMAP scans

Nmap (http://www.insecure.org/nmap) is the most popular network scanner widely used and misused. Most people tend to ignore the various "switches (options)" and only use the default parameters. It is possible to prioritize SPEED or STEALTH in nmap scans but i'll mainly be talking about maximizing SPEED.

I'll demonstrate this by scanning localhost i.e. my own computer via loopback address. (127.0.0.1) via a non root user :

[d00m@localhost d00m]$ nmap -v 127.0.0.1
 
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:44 EST
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:44
Adding open port 631/tcp
Adding open port 6000/tcp
Adding open port 25/tcp
The Connect() Scan took 0 seconds to scan 1659 ports.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
631/tcp  open  ipp
6000/tcp open  X11
 
Nmap run completed -- 1 IP address (1 host up) scanned in 0.585 seconds

Time taken for default scan = 0.585 seconds

Now time to improvise the speed by using "-P0" switch to disable ping query before scanning target :

[d00m@localhost d00m]$ nmap -v -P0 127.0.0.1
 
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:51 EST
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:51
Adding open port 631/tcp
Adding open port 6000/tcp
Adding open port 25/tcp
The Connect() Scan took 0 seconds to scan 1659 ports.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
631/tcp  open  ipp
6000/tcp open  X11
 
Nmap run completed -- 1 IP address (1 host up) scanned in 0.248 seconds

Time taken = 0.248 seconds
Previous time taken = 0.585 seconds

Now by also using "-F" switch we can further reduce scan time. Now what this switch does is only scan for popular network services on popular ports (listed in nmap-services file) instead of scanning all the TCP/UDP ports.

[d00m@localhost d00m]$ nmap -v -P0 -F 127.0.0.1
 
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:55 EST
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:55
Adding open port 631/tcp
Adding open port 25/tcp
Adding open port 6000/tcp
The Connect() Scan took 0 seconds to scan 1217 ports.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1214 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
631/tcp  open  ipp
6000/tcp open  X11
 
Nmap run completed -- 1 IP address (1 host up) scanned in 0.229 seconds

The time difference isn't significantly different but remember that i am scannning my own computer ..NOT a host in the LAN or the Internet. The time difference will be more significant then.

However the downfall is that improving speed means compromising stealth.

Some final tips :
- www.ping2me.com offers online nmap scans
- Also exploer the "-T" switch. Check out nmap's documentation for further details.

Comment