[unisog] Determining local servers and banners

Brian Smith-Sweeney bsmithsweeney at nyu.edu
Fri Apr 15 13:55:29 GMT 2005


Florian Weimer wrote:

> * Brian Smith-Sweeney:
>
>> I asked about number of hosts because I'm working on getting active
>> scans to run A) more accurately, and B) within a reasonable (1 week)
>> amount of time. Would you mind sharing your nmap timing options, and
>> what your associated % of host response is?
>
>
> nmap has the reputation of being a fast, parallel scanner, but it only
> parallelizes scans to several ports on the same host, not across the
> network. This makes nmap not the first choice for network-wide server
> detection.
>
I think this was much more a problem pre-v3.7.  Since then the scanning 
engine has gotten much better, though obviously we still haven't gotten 
it working perfectly. 

Nmap 3.70

o Rewrote core port scanning engine, which is now named ultra_scan().
Improved algorithms make this faster (often dramatically so) in
almost all cases. Not only is it superior against single hosts, but
ultra_scan() can scan many hosts (sometimes hundreds) in parallel.

It's still not perfect, but it has gotten much better at large-scale 
network scanning.   And I'm reasonably confident the issues we are 
having will get resolved once we get the timing options right. 

> That's the main reason I wrote doscan ("Denial-Of-Service Capable
> Auditing of Networks"). Our requirements were slightly different from
> yours, though. We were only interested in services on a specific
> port, not all services on the network, and doscan is optimized for
> this task. If I recall correctly, it scans a /15 (with about 10% host
> utilization) in a couple of minutes, with suitably tweaked settings.
> On Linux 2.6 systems, it can easily process tens of thousands of
> parallel connection attempts, thanks to epoll support. There's no
> FreeBSD kqueue support yet (I don't do FreeBSD). doscan can collect
> banners (and tears down connections once the banner matches a given
> regular expression, to free a connection slot as fast as possible),
> and it can trigger banners by sending strings to the remote server.
>
I will definitely look more closely at doscan.  While it doesn't seem to 
match this need, it  does seem to fill it's intended niche quite nicely. 

Cheers,
Brian



More information about the unisog mailing list