Solved

Using nmap

Posted on 2014-10-24
7
515 Views
Last Modified: 2014-10-30
Does anyone know  how I can run the following and make it work?

nmap -p 443 --script ssl-enum-ciphers 10.0.0.0/8

It seems to halt but if I put a 10.0.0.0/24, it works fine.  It seems scanning a larger network doesn't seem to work.

Also, I tried the iL option using the input file, that doesn't work also.
0
Comment
Question by:LateNaite
  • 4
  • 2
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
You will want to use Zmap on a linux machine if your interested in one port, and you want to scan 16 million potential addresses in less than a month. You can do it with nmap if you break it up some, and use "-n -Pn" so that you don't waste time pinging and resolving. If you broke it up into 256 tasks, using /16 subnets...
10.0.0.0/16
10.1.0.0/16
10.2.0.0/16
etc...
Have a look at zmap. Once you find the host's that respond to 443, then use namp's input file (-iL) and the enum ciphers to help you get the more verbose findings. Zmap is the only scanner I know of that can scan a /8 in under 1 day.
https://zmap.io/ (requires linux)
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
in the past, nmap forum surface this advice (based on older ver) for the saga of wide n/w scan for conficker http://seclists.org/nmap-dev/2009/q1/869
e.g. sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>
Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output...
Nmap can take CIDR targets so 123.234.0.0/16 is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like
123.234.0.0/16 32.64.128.0/24

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
Also there is blackhat sharing in using nmap example for internet wide scan that can come handy - zenmap the GUI ver is mentioned too (pdf) https://www.blackhat.com/presentations/bh-usa-08/Vaskovich/BH_US_08_Vaskovich_Nmap_Scanning_the_Internet.pdf

The actual timing and performance parameters for nmap is a good reference (as it is also prev used)
http://nmap.org/book/man-performance.html
You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values.
I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
There are also other

massscan that it claimed fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. It produces results similar to nmap, and it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

Unicornscan (old though) is a tool known for high-speed scanning of large net blocks..
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Zmap is nice too, it primes for its stateless scan. It scans addresses according to a random permutation of the address space. This is to avoid risk of  overloading destination networks with scan traffic and produce inconsistent results in the case of a distant transient network failure.

In its paper (pdf) https://zmap.io/paper.pdf, it also compared to nmap which the author tried started with the “insane” template (-T5), disabled host discovery and DNS resolutions (-Pn -n), and set a high minimum packet rate (--min-rate 10000). they concluded ZMap vs. Nmap comparison as
— We scanned 1 million hosts on TCP port 443 using ZMap and Nmap and averaged over 10 trials. Despite running hundreds of times faster, ZMap finds more listening hosts than Nmap, due to Nmap’s low host timeout. Times for ZMap include a fixed 8 second delay to wait for responses after the final probe
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Also this SAN article is useful insight using masscan and nmap (did nto share the nse though) that est covering ~20 Million IP. Note masscan is used to also cover the /8 range
https://isc.sans.edu/forums/diary/Scanning+for+Single+Critical+Vulnerabilities/18881
Masscan uses a similar command line to nmap.

            >masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

              10.0.0.0/8 -oG 10-scan-ssl - -max-rate 10000

-oG Grepable output
-p port to scan
10.0.0.0/8 network to scan

-oG Output in grepable format
10-scan-443 is filename created by scan
--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.
0
 

Author Closing Comment

by:LateNaite
Comment Utility
I haven't tried masscan due to an installation issue. Tried installing on Windows but it didn't work.  Haven't tried it on a Linux machine yet.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Try this executeable I compiled for Masscan for windows using Mingw: http://xinn.org/compiled_files/masscan.exe

masscan.exe -p80,443 --rate 10000 --banners -oX output.xml 10.0.0.0/8
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
can check this post on building option

http://kb.scanarch.com/How-to-use-masscan-to-find-heartbleed-vulnerabilities/

While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info:

    Windows w/ Visual Studio: use the VS10 project
    Windows w/ MingGW: just type make
    Windows w/ cygwin: won't work
    Mac OS X /w XCode: use the XCode4 project
    Mac OS X /w cmdline: just type make
    FreeBSD: type gmake
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now