Using nmap

Posted on 2014-10-24
Last Modified: 2014-10-30
Does anyone know  how I can run the following and make it work?

nmap -p 443 --script ssl-enum-ciphers

It seems to halt but if I put a, it works fine.  It seems scanning a larger network doesn't seem to work.

Also, I tried the iL option using the input file, that doesn't work also.
Question by:LateNaite
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 40404423
You will want to use Zmap on a linux machine if your interested in one port, and you want to scan 16 million potential addresses in less than a month. You can do it with nmap if you break it up some, and use "-n -Pn" so that you don't waste time pinging and resolving. If you broke it up into 256 tasks, using /16 subnets...
Have a look at zmap. Once you find the host's that respond to 443, then use namp's input file (-iL) and the enum ciphers to help you get the more verbose findings. Zmap is the only scanner I know of that can scan a /8 in under 1 day. (requires linux)
LVL 64

Expert Comment

ID: 40404534
in the past, nmap forum surface this advice (based on older ver) for the saga of wide n/w scan for conficker
e.g. sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>
Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output...
Nmap can take CIDR targets so is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
Also there is blackhat sharing in using nmap example for internet wide scan that can come handy - zenmap the GUI ver is mentioned too (pdf)

The actual timing and performance parameters for nmap is a good reference (as it is also prev used)
You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values.
I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems.
There are also other

massscan that it claimed fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. It produces results similar to nmap, and it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

Unicornscan (old though) is a tool known for high-speed scanning of large net blocks..
LVL 64

Expert Comment

ID: 40404737
Zmap is nice too, it primes for its stateless scan. It scans addresses according to a random permutation of the address space. This is to avoid risk of  overloading destination networks with scan traffic and produce inconsistent results in the case of a distant transient network failure.

In its paper (pdf), it also compared to nmap which the author tried started with the “insane” template (-T5), disabled host discovery and DNS resolutions (-Pn -n), and set a high minimum packet rate (--min-rate 10000). they concluded ZMap vs. Nmap comparison as
— We scanned 1 million hosts on TCP port 443 using ZMap and Nmap and averaged over 10 trials. Despite running hundreds of times faster, ZMap finds more listening hosts than Nmap, due to Nmap’s low host timeout. Times for ZMap include a fixed 8 second delay to wait for responses after the final probe
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today -

LVL 64

Accepted Solution

btan earned 500 total points
ID: 40404822
Also this SAN article is useful insight using masscan and nmap (did nto share the nse though) that est covering ~20 Million IP. Note masscan is used to also cover the /8 range
Masscan uses a similar command line to nmap.

            >masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

     -oG 10-scan-ssl - -max-rate 10000

-oG Grepable output
-p port to scan network to scan

-oG Output in grepable format
10-scan-443 is filename created by scan
--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.

Author Closing Comment

ID: 40413983
I haven't tried masscan due to an installation issue. Tried installing on Windows but it didn't work.  Haven't tried it on a Linux machine yet.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40414875
Try this executeable I compiled for Masscan for windows using Mingw:

masscan.exe -p80,443 --rate 10000 --banners -oX output.xml
LVL 64

Expert Comment

ID: 40415011
can check this post on building option

While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info:

    Windows w/ Visual Studio: use the VS10 project
    Windows w/ MingGW: just type make
    Windows w/ cygwin: won't work
    Mac OS X /w XCode: use the XCode4 project
    Mac OS X /w cmdline: just type make
    FreeBSD: type gmake

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question