Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Nmap scanning speed

from [robert] Network Security [Permanent Link]
Subject: Re: Nmap scanning speed
Date: Mon, 14 Nov 2005 22:44:49 -0800 
From: Trent@yahoo.co.uk [mailto:Trent@yahoo.co.uk] 
Sent: Thursday, November 10, 2005 12:13 PM
To: pen-test@securityfocus.com
Subject: Nmap scanning speed

I have to scan a large network. is it possible to get good port scanning 
speed of over 700 ports per second from nmap? 


Keep in mind that scanning speed (software tool aside) is a tricky thing to get
right on a large network.  You have to know the maximum available bandwidth from
the networks you're scanning from, and the remote networks that you are 
scanning. 
You also have to account for the fact that most networks are optimized for 
stable
communication throughput... so just because you see a fat pipe on both sides
doesn't mean that they are going to be able to take a large number of relatively
tiny packets per second.  Add to this the mess of these IDS/IPS/Firewall devices
that give up the ghost on a high rate of state changes and you're left with 
either
meticulously mapping out the safe/accurate scanning rates on the individual 
network
segments, or choosing a modest rate to test everything at.  If you just go 
"really
fast", you'll either be left with inaccurate results, or DoSing the networks, or
both.  We've killed .. as in fried switch ports before (we did this at our black
hat class in vegas this past summer).  We've also taken out firewalls (high end
really expensive boxes) at relatively low packet per second rates.

When testing these large networks it's best to start with a conservative rate 
on a
segement and work up the speed, and increase the network segment size. Validate 
the
results, and then move on the the full blown scan.

The problem with tools like nmap and scanrand in these situations is that you 
can't
really dial in the pps to send at.  With nmap you get pretty consistant numbers 
if
you use the same release/hw for all of your scans.  With scanrand if you 
specify too
high of a rate, you will experience packet loss on the sender.  With 
unicornscan we
tried very hard to provide timing that gets close to the rate asked for... ie if
you ask for 1,000 pps you'll get ~990 pps, etc.  The fastest we've accurately 
scaned
at with stock hardware was over 100,000 pps from a single card.  We're still 
looking
at custom network hardware to go higher than that (I really want to see 
1,000,000 pps
for IPv6 networks).  But with our distributed scanning, using multiple senders 
and 
receivers as one logical TCP/IP stack, the remote network is going to be your 
limit,
not the rate of speed you can get from your scanning system.

Anyhow, we're getting ready to release an update to unicornscan.  If any of you
have a large network to play with and don't mind providing feedback, hit me up 
and
I'll help you get the pre-release working.  The biggest feature differences that
you'll see in the next release are being able to do the distributed scanning 
that
we demo'd at blackhat/defcon + being able to perform TCP based trigger/response
testing.  IE.. instead of having to portscan on the 1st sweep, and then banner
grabbing on the open ports, and then amaping the the open ports, you can send
dynamic or static TCP/UDP payloads all on the 1st sweep.  For more info on 
that, see
the unicornscan.org website.  The defcon talk slides are there to download.

Feel free to ask more large scale scanning questions.  We have had good success 
doing
that with unicornscan.  Also, a quick plug for ISECOM's OPST/OPSA classes.  To 
my
knowlege they're the only group teaching unicornscan in the curriculum 
worldwide. I
helped write those slides.  If you're looking for a class to go to in the next 
few
months, that might be a good one to consider.  I'm teaching an OPST class in Feb
here in Southern California, but they are available world-wide through the 
ISECOM
training network.

Cheers, and happy testing,

Robert

-- 
Robert E. Lee
CIO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Network Security Assessment - 2nd edition, doug
Next by Date:  Re: Windows Distro [summary], Eliah Kagan
Previous by Thread:  RE: Nmap scanning speed, Tate Hansen
Next by Thread:  RE: Nmap scanning speed, Tony Carter
Indexes:  [Date] [Thread] [Top] [All Lists]