Nmap and Masscan optimized scan for large networks
Nmap
This could lead to Network saturation in a large scan and also not accurate results due to excessive min-rate
value, but for a single IP it really improve the scan time:
# TCP
sudo nmap -p- --min-rate 10000 IP -Pn --open -n -oN open-ports.txt
# UDP (slow even with the huge min-rate)
sudo nmap -p- --min-rate 10000 -sU IP -Pn --open -n -oN open-ports.txt
# UDP top 100
sudo nmap -p- --min-rate 10000 --top-ports 100 -sU IP -Pn --open -n -oN open-ports.txt
# Show open ports in line
cat open-ports.txt | grep / | sed "s/\/.*//" | tr '\n' ',' | sed '$s/,$//'
# Then perform ServiceVersion -sV and Script -sC Scan
sudo nmap -v -p ports IP -Pn -n -sV -sC
# UDP
sudo nmap -v -p ports IP -Pn -n -sU -sV -sC
# stealth
sudo nmap -v -p ports IP -Pn -n -sS
Large Network
If you need to scan large networks lets say in order of CIDR /8
, /16
, /24
, it's a good idea, if you don't want to wait for days, to adapt the scan options to the target Network. Even if the option -T
in Nmap could help by setting it to -T4
or -T5
some parameter if correctly adjusted could really imporve the time needed to complete the process.
this scan method does not meant to avoid detection or being quiet, the goal is to get results as fast as possible!
Important parameters
-n
: NO DNS resolution-Pn
: NO host discovery--open
: show only open ports--min-rate
: As mentioned before it's important not to exceed on this parameter because it will lead to Network instability and false results or even freeze the scan, so if for a single IP you could try with10000
for having an ultra fast scan, it a process of trial and error for individuate the correct value in each situation. Here for fictional purposes I use5000
as demonstrational value.-min-rtt-timeout
and-max-rtt-timeout
:
--min-rtt-timeout
and --max-rtt-timeout
: To correctly set them run a quick ping if you can or figure out average network response times using another suitable method. Once you have an average ICMP echo time, you can add 25ms
for --min-rtt-timeout
and 100ms
for --max-rtt-timeout
. Based on the ping results, with an average of about 230ms
ping time, (in example) you could set minimum at 255ms
and maximum at 330ms
.
--min-hostgroup
:
--min-hostgroup
: This parameter will speed things up by grouping the targets. Values for this should be decided in each situation and typical values that I used goes from 128
up to 512
or 1024
for very large network.
--max-retries
: 0--max-scan-delay
: delay between packets = 0-p
: Here ports parameter when specified is set to most common ports for common services that may be open on the target if the scan is performed ON the lists of live Hosts(here we are blindly thinking that some of this ports may be open on some of those targets but some other may be missing). My suggestion is to adapt the command to each Host found Up when the main scan is finshed, also for further and best analysis of all the targets when an interesting Host is found allways perform a custom scan on each of those Hosts
Nmap discovery command used against /16
ranges and larger:
# Network Sweep to find Live hosts first
# Skeleton command Stealth scan -sS
sudo nmap -Pn -n -sS -p [ports] --min-rtt-timeout 30ms --max-rtt-timeout 100ms \
--max-retries 0 --max-scan-delay 0 --min-hostgroup [choose-value] \
--min-rate [find-optimal-value] -v --open -iL inputfile -oA output
# ping - find the corrects values for min/max-rtt-timeout
# fictional values used here
ping -c 5 IP
# Tweaked
sudo nmap -Pn -n -sS -p 21,22,25,53,80,111,137,139,445,443,5900,8080 --min-rtt-timeout 255ms \
--max-rtt-timeout 330ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 \
--min-rate 5000 -v --open -iL targets.txt -oA Custom
#
grep "Status: Up" Custom | cut -d " " -f2 | tee UpHosts.txt
#
sudo nmap -Pn -sS -p- --min-rtt-timeout 255ms --max-rtt-timeout 330ms --max-retries 1 \
--max-scan-delay 0 --min-hostgroup 128 --min-rate 5000 -v --open \
-iL UpHosts.txt -oA Custom_Full_Port
Useful guide and data source RedSiege - BeyondT4
Even if the above suggested techniqe from RedSiege works, the methods to find live hosts from targets.txt
(that actually is already refined) is not spefied in the RedSiege article. His data are for a predefined list of 77 IPs (6s of scan) and for the whole network CIDR /16 = 65.000 IPs (15 min scan). It's up to you to find the better way to refine the whole network IPs to a small number. Eatherway the ip range in the commad could be provided:
sudo nmap -Pn -n -sS -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443 \
--min-rtt-timeout 255ms --max-rtt-timeout 330ms --max-retries 0 --max-scan-delay 0 \
--min-hostgroup 128 --min-rate 5500 -v --open 10.11.1.0/16 -oA Custom
But doing so we are not fully optimizing the scan because it's better to find live hosts first and then perform the scan.
Ping sweep
One approch is to ping sweep the whole netwok earlyier to find first the live hosts in it and then proced with the previous suggested method:
# ping sweep
nmap -v -sn 10.11.1.1/16 -oG ping-sweep.txt
#
grep Up ping-sweep.txt | cut -d " " -f 2 | > live-hosts-list.txt
# then
sudo nmap -v -Pn -n -sS -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443 \
--min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 \
--min-hostgroup 128 --min-rate 5500 -v --open -iL live-hosts-list.txt -oA Scan_results
Internal Network dicovery
Ping Gateway IP Addresses
Let’s say internally, we got an IP address 192.168.57.111 netmask 255.255.255.0 with a default gateway of 192.168.57.1. It is a high probability that the rest of the network ranges would have been defined as /24 CIDR as well. In that case, a ping sweep for the range of 192.168.*.1
with a watch on the TTL would possibly reveal what the other network ranges are.
nmap -sn -v -PE 192.168.*.1
Masscan
Another option is to use Masscan for an intial target approach due to its speed an then perform an accurate scan on each Host with Nmap to properly enumrate all services with all the Namp .
Add a few additional masscan options, including --rate
to specify the desired rate of packet transmission, -e
to specify the raw network interface to use, and --router-ip
to specify the IP address for the appropriate gateway:
sudo masscan -p80 10.11.1.0/24 --rate=1000 -e tap0 --router-ip 10.11.0.1
#
masscan -iL target_ranges.txt -p 21,22,25,53,80,111,137,139,445,443,5900,8080 \
-oG raw_targets_list.txt --rate 3000 --open-only
#
awk '/Host/ {print $4}' raw_targets_list.txt | sort -uV > live_hosts
# Insane
masscan 10.1.1.1/16 -p 21,22,25,53,80,111,137,139,445,443,5900,8080 \
--rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
-oG output.txt
# Fast dsicovery only specific ports
sudo masscan target/16 -p 22 --rate 2000 -oG output.txt
# Multi Target
masscan target_1 target_2 -p 80,433 --rate 100000 --banners --open-only\
--http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
--source-ip 192.168.100.200 -oL "output.txt"
# /24 network
masscan 10.1.1.1/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
-oJ output.json
SNMP - UDP (Bonus Tip)
If SNMP on UDP is active perform that scan to list all services/processes:
#
sudo nmap -p- --min-rate 10000 --top-ports 100 -sU IP -Pn --open -n -oN open-ports.txt
#
sudo nmap -v -p 161 IP -Pn --open -n -sU --script snmp-info.nse,snmp-processes.nse