Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Using nmap

Posted on 2014-10-24
Medium Priority
Last Modified: 2014-10-30
Does anyone know  how I can run the following and make it work?

nmap -p 443 --script ssl-enum-ciphers

It seems to halt but if I put a, it works fine.  It seems scanning a larger network doesn't seem to work.

Also, I tried the iL option using the input file, that doesn't work also.
Question by:LateNaite
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 40404423
You will want to use Zmap on a linux machine if your interested in one port, and you want to scan 16 million potential addresses in less than a month. You can do it with nmap if you break it up some, and use "-n -Pn" so that you don't waste time pinging and resolving. If you broke it up into 256 tasks, using /16 subnets...
Have a look at zmap. Once you find the host's that respond to 443, then use namp's input file (-iL) and the enum ciphers to help you get the more verbose findings. Zmap is the only scanner I know of that can scan a /8 in under 1 day. (requires linux)
LVL 64

Expert Comment

ID: 40404534
in the past, nmap forum surface this advice (based on older ver) for the saga of wide n/w scan for conficker
e.g. sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>
Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output...
Nmap can take CIDR targets so is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
Also there is blackhat sharing in using nmap example for internet wide scan that can come handy - zenmap the GUI ver is mentioned too (pdf)

The actual timing and performance parameters for nmap is a good reference (as it is also prev used)
You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values.
I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
There are also other

massscan that it claimed fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. It produces results similar to nmap, and it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

Unicornscan (old though) is a tool known for high-speed scanning of large net blocks..
LVL 64

Expert Comment

ID: 40404737
Zmap is nice too, it primes for its stateless scan. It scans addresses according to a random permutation of the address space. This is to avoid risk of  overloading destination networks with scan traffic and produce inconsistent results in the case of a distant transient network failure.

In its paper (pdf), it also compared to nmap which the author tried started with the “insane” template (-T5), disabled host discovery and DNS resolutions (-Pn -n), and set a high minimum packet rate (--min-rate 10000). they concluded ZMap vs. Nmap comparison as
— We scanned 1 million hosts on TCP port 443 using ZMap and Nmap and averaged over 10 trials. Despite running hundreds of times faster, ZMap finds more listening hosts than Nmap, due to Nmap’s low host timeout. Times for ZMap include a fixed 8 second delay to wait for responses after the final probe
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40404822
Also this SAN article is useful insight using masscan and nmap (did nto share the nse though) that est covering ~20 Million IP. Note masscan is used to also cover the /8 range
Masscan uses a similar command line to nmap.

            >masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

     -oG 10-scan-ssl - -max-rate 10000

-oG Grepable output
-p port to scan network to scan

-oG Output in grepable format
10-scan-443 is filename created by scan
--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.

Author Closing Comment

ID: 40413983
I haven't tried masscan due to an installation issue. Tried installing on Windows but it didn't work.  Haven't tried it on a Linux machine yet.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40414875
Try this executeable I compiled for Masscan for windows using Mingw:

masscan.exe -p80,443 --rate 10000 --banners -oX output.xml
LVL 64

Expert Comment

ID: 40415011
can check this post on building option

While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info:

    Windows w/ Visual Studio: use the VS10 project
    Windows w/ MingGW: just type make
    Windows w/ cygwin: won't work
    Mac OS X /w XCode: use the XCode4 project
    Mac OS X /w cmdline: just type make
    FreeBSD: type gmake

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question