Friday, February 12, 2016

Fast port scanning with nmap


Use nmap to test for listening services on a range of ports

nmap -sS --reason -T4 -p32000-32100 10.10.10.10/32

Explanation of arguments

-sS: TCP SYN scan. Also known as half-open scan. It requires root privileges (see -sT if this is an issue). It is fast, enabling testing of large numbers of ports (assuming high network bandwidth and absence of rate-limiting firewalls). It is unobtrusive since it does not complete TCP connections: it sends a SYN packet and checks the response. It allows clear differentiation between listening (a SYN/ACK response), not listening (a RST/reset response) or filtered (no response after retries).

--reason: Shows details regarding why each port is reported in the given state

-T<0-5>: Timing template.  The respective, equivalent text flags are instructive: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), insane (5). Higher is faster. The default is normal (3), but it is often too slow in practice for large port ranges. Higher values must be used cautiously, as they can either stress or crash target systems or easily trigger intrusion detection systems. I have found T4 to be practical for routine systems diagnostics work. T4 is the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6. When scanning many ports on a reliable network, I override maximum retries to accelerate the scan with --max-retries=0.

-p: Port range

Hosts: Target hosts, represented as IP addresses, with a given host mask. In the example, 10.10.10.10/32, a single host is requested. A mask shorter than 32 bits designates ranges, e.g. 10.10.10.0/24, includes 10.10.10.0 through 10.10.10.255

No comments: