Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Using nmap

Posted on 2014-10-24
7
Medium Priority
?
638 Views
Last Modified: 2014-10-30
Does anyone know  how I can run the following and make it work?

nmap -p 443 --script ssl-enum-ciphers 10.0.0.0/8

It seems to halt but if I put a 10.0.0.0/24, it works fine.  It seems scanning a larger network doesn't seem to work.

Also, I tried the iL option using the input file, that doesn't work also.
0
Comment
Question by:LateNaite
  • 4
  • 2
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40404423
You will want to use Zmap on a linux machine if your interested in one port, and you want to scan 16 million potential addresses in less than a month. You can do it with nmap if you break it up some, and use "-n -Pn" so that you don't waste time pinging and resolving. If you broke it up into 256 tasks, using /16 subnets...
10.0.0.0/16
10.1.0.0/16
10.2.0.0/16
etc...
Have a look at zmap. Once you find the host's that respond to 443, then use namp's input file (-iL) and the enum ciphers to help you get the more verbose findings. Zmap is the only scanner I know of that can scan a /8 in under 1 day.
https://zmap.io/ (requires linux)
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 40404534
in the past, nmap forum surface this advice (based on older ver) for the saga of wide n/w scan for conficker http://seclists.org/nmap-dev/2009/q1/869
e.g. sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>
Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output...
Nmap can take CIDR targets so 123.234.0.0/16 is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like
123.234.0.0/16 32.64.128.0/24

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
Also there is blackhat sharing in using nmap example for internet wide scan that can come handy - zenmap the GUI ver is mentioned too (pdf) https://www.blackhat.com/presentations/bh-usa-08/Vaskovich/BH_US_08_Vaskovich_Nmap_Scanning_the_Internet.pdf

The actual timing and performance parameters for nmap is a good reference (as it is also prev used)
http://nmap.org/book/man-performance.html
You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values.
I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
There are also other

massscan that it claimed fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. It produces results similar to nmap, and it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

Unicornscan (old though) is a tool known for high-speed scanning of large net blocks..
0
 
LVL 65

Expert Comment

by:btan
ID: 40404737
Zmap is nice too, it primes for its stateless scan. It scans addresses according to a random permutation of the address space. This is to avoid risk of  overloading destination networks with scan traffic and produce inconsistent results in the case of a distant transient network failure.

In its paper (pdf) https://zmap.io/paper.pdf, it also compared to nmap which the author tried started with the “insane” template (-T5), disabled host discovery and DNS resolutions (-Pn -n), and set a high minimum packet rate (--min-rate 10000). they concluded ZMap vs. Nmap comparison as
— We scanned 1 million hosts on TCP port 443 using ZMap and Nmap and averaged over 10 trials. Despite running hundreds of times faster, ZMap finds more listening hosts than Nmap, due to Nmap’s low host timeout. Times for ZMap include a fixed 8 second delay to wait for responses after the final probe
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40404822
Also this SAN article is useful insight using masscan and nmap (did nto share the nse though) that est covering ~20 Million IP. Note masscan is used to also cover the /8 range
https://isc.sans.edu/forums/diary/Scanning+for+Single+Critical+Vulnerabilities/18881
Masscan uses a similar command line to nmap.

            >masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

              10.0.0.0/8 -oG 10-scan-ssl - -max-rate 10000

-oG Grepable output
-p port to scan
10.0.0.0/8 network to scan

-oG Output in grepable format
10-scan-443 is filename created by scan
--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.
0
 

Author Closing Comment

by:LateNaite
ID: 40413983
I haven't tried masscan due to an installation issue. Tried installing on Windows but it didn't work.  Haven't tried it on a Linux machine yet.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40414875
Try this executeable I compiled for Masscan for windows using Mingw: http://xinn.org/compiled_files/masscan.exe

masscan.exe -p80,443 --rate 10000 --banners -oX output.xml 10.0.0.0/8
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 40415011
can check this post on building option

http://kb.scanarch.com/How-to-use-masscan-to-find-heartbleed-vulnerabilities/

While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info:

    Windows w/ Visual Studio: use the VS10 project
    Windows w/ MingGW: just type make
    Windows w/ cygwin: won't work
    Mac OS X /w XCode: use the XCode4 project
    Mac OS X /w cmdline: just type make
    FreeBSD: type gmake
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
How does someone stay on the right and legal side of the hacking world?
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question