[unisog] Determining local servers and banners
bsmithsweeney at nyu.edu
Fri Apr 15 13:55:29 GMT 2005
Florian Weimer wrote:
> * Brian Smith-Sweeney:
>> I asked about number of hosts because I'm working on getting active
>> scans to run A) more accurately, and B) within a reasonable (1 week)
>> amount of time. Would you mind sharing your nmap timing options, and
>> what your associated % of host response is?
> nmap has the reputation of being a fast, parallel scanner, but it only
> parallelizes scans to several ports on the same host, not across the
> network. This makes nmap not the first choice for network-wide server
I think this was much more a problem pre-v3.7. Since then the scanning
engine has gotten much better, though obviously we still haven't gotten
it working perfectly.
o Rewrote core port scanning engine, which is now named ultra_scan().
Improved algorithms make this faster (often dramatically so) in
almost all cases. Not only is it superior against single hosts, but
ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
It's still not perfect, but it has gotten much better at large-scale
network scanning. And I'm reasonably confident the issues we are
having will get resolved once we get the timing options right.
> That's the main reason I wrote doscan ("Denial-Of-Service Capable
> Auditing of Networks"). Our requirements were slightly different from
> yours, though. We were only interested in services on a specific
> port, not all services on the network, and doscan is optimized for
> this task. If I recall correctly, it scans a /15 (with about 10% host
> utilization) in a couple of minutes, with suitably tweaked settings.
> On Linux 2.6 systems, it can easily process tens of thousands of
> parallel connection attempts, thanks to epoll support. There's no
> FreeBSD kqueue support yet (I don't do FreeBSD). doscan can collect
> banners (and tears down connections once the banner matches a given
> regular expression, to free a connection slot as fast as possible),
> and it can trigger banners by sending strings to the remote server.
I will definitely look more closely at doscan. While it doesn't seem to
match this need, it does seem to fill it's intended niche quite nicely.
More information about the unisog