Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Using nmap

Posted on 2014-10-24
Medium Priority
Last Modified: 2014-10-30
Does anyone know  how I can run the following and make it work?

nmap -p 443 --script ssl-enum-ciphers

It seems to halt but if I put a, it works fine.  It seems scanning a larger network doesn't seem to work.

Also, I tried the iL option using the input file, that doesn't work also.
Question by:LateNaite
  • 4
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 40404423
You will want to use Zmap on a linux machine if your interested in one port, and you want to scan 16 million potential addresses in less than a month. You can do it with nmap if you break it up some, and use "-n -Pn" so that you don't waste time pinging and resolving. If you broke it up into 256 tasks, using /16 subnets...
Have a look at zmap. Once you find the host's that respond to 443, then use namp's input file (-iL) and the enum ciphers to help you get the more verbose findings. Zmap is the only scanner I know of that can scan a /8 in under 1 day.
https://zmap.io/ (requires linux)
LVL 65

Expert Comment

ID: 40404534
in the past, nmap forum surface this advice (based on older ver) for the saga of wide n/w scan for conficker http://seclists.org/nmap-dev/2009/q1/869
e.g. sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>
Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output...
Nmap can take CIDR targets so is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
Also there is blackhat sharing in using nmap example for internet wide scan that can come handy - zenmap the GUI ver is mentioned too (pdf) https://www.blackhat.com/presentations/bh-usa-08/Vaskovich/BH_US_08_Vaskovich_Nmap_Scanning_the_Internet.pdf

The actual timing and performance parameters for nmap is a good reference (as it is also prev used)
You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values.
I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
There are also other

massscan that it claimed fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. It produces results similar to nmap, and it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

Unicornscan (old though) is a tool known for high-speed scanning of large net blocks..
LVL 65

Expert Comment

ID: 40404737
Zmap is nice too, it primes for its stateless scan. It scans addresses according to a random permutation of the address space. This is to avoid risk of  overloading destination networks with scan traffic and produce inconsistent results in the case of a distant transient network failure.

In its paper (pdf) https://zmap.io/paper.pdf, it also compared to nmap which the author tried started with the “insane” template (-T5), disabled host discovery and DNS resolutions (-Pn -n), and set a high minimum packet rate (--min-rate 10000). they concluded ZMap vs. Nmap comparison as
— We scanned 1 million hosts on TCP port 443 using ZMap and Nmap and averaged over 10 trials. Despite running hundreds of times faster, ZMap finds more listening hosts than Nmap, due to Nmap’s low host timeout. Times for ZMap include a fixed 8 second delay to wait for responses after the final probe
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40404822
Also this SAN article is useful insight using masscan and nmap (did nto share the nse though) that est covering ~20 Million IP. Note masscan is used to also cover the /8 range
Masscan uses a similar command line to nmap.

            >masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

     -oG 10-scan-ssl - -max-rate 10000

-oG Grepable output
-p port to scan network to scan

-oG Output in grepable format
10-scan-443 is filename created by scan
--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.

Author Closing Comment

ID: 40413983
I haven't tried masscan due to an installation issue. Tried installing on Windows but it didn't work.  Haven't tried it on a Linux machine yet.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40414875
Try this executeable I compiled for Masscan for windows using Mingw: http://xinn.org/compiled_files/masscan.exe

masscan.exe -p80,443 --rate 10000 --banners -oX output.xml
LVL 65

Expert Comment

ID: 40415011
can check this post on building option


While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info:

    Windows w/ Visual Studio: use the VS10 project
    Windows w/ MingGW: just type make
    Windows w/ cygwin: won't work
    Mac OS X /w XCode: use the XCode4 project
    Mac OS X /w cmdline: just type make
    FreeBSD: type gmake

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question