[unisog] Determining local servers and banners

Florian Weimer fw at deneb.enyo.de
Sun Apr 10 18:41:51 GMT 2005


* Brian Smith-Sweeney:

> I asked about number of hosts because I'm working on getting  active 
> scans to run A) more accurately, and B) within a reasonable (1 week) 
> amount of time.  Would you mind sharing your nmap timing options, and 
> what your associated % of host response is?

nmap has the reputation of being a fast, parallel scanner, but it only
parallelizes scans to several ports on the same host, not across the
network.  This makes nmap not the first choice for network-wide server
detection.

That's the main reason I wrote doscan ("Denial-Of-Service Capable
Auditing of Networks").  Our requirements were slightly different from
yours, though.  We were only interested in services on a specific
port, not all services on the network, and doscan is optimized for
this task.  If I recall correctly, it scans a /15 (with about 10% host
utilization) in a couple of minutes, with suitably tweaked settings.
On Linux 2.6 systems, it can easily process tens of thousands of
parallel connection attempts, thanks to epoll support.  There's no
FreeBSD kqueue support yet (I don't do FreeBSD).  doscan can collect
banners (and tears down connections once the banner matches a given
regular expression, to free a connection slot as fast as possible),
and it can trigger banners by sending strings to the remote server.

There are some scanners which use reverse SYN cookies.  I'm not aware
of any which can collect service banners, which would require a fairly
complete TCP implementation in user space.


More information about the unisog mailing list