Nmap - Scanning Large Networks

One of the major problems when using Nmap is the increase in time when performing a scan. This depends on two factors:

  • • Number of hosts
  • • Number of ports

This article provides a simple solution for scanning large networks.

Firstly - How Namp Works

Nmap (Network Mapper) works by first identifying whether a host is up and if it is, Nmap scans it. Otherwise, if Nmap determines a host is not set up, it does not perform a scan.
The –P0 bypasses this “host-up” check and makes Nmap think that all hosts are up. The other method is to tell Nmap how to perform the “host-up” check with –PE and –PS options (also a few more but these are the interesting ones).
  • • PE - Send an ICMP ping and if you get a response then the host should be considered as up.
  • • PS - Send a TCP SYN to the specified port(s) and if you get a response (e.g. TCP RST or TCP SYN ACK), then the host should be considered as up. If either of the above respond then the host is considered as up.
For example:

Nohup nmap –PE –PS80,443,8080,6000,22,23 –T Aggressive –oA results –n –iL filename-containing-hosts-or-networks –p1-65535

  • • PE - Send an ICMP to help determine if host is up
  • • PS80,443,8080,6000,22,23 - Send TCP SYN to all the above ports, if you get a SYN ACK or RST back then host should be considered as up
  • • T Aggressive - go fast mode (may need to reduce, if performed over slow network)
  • • oA results - save all output into file results.gnmap, results.xml, results,nmap etc (saves in all formats)
  • • n - don’t bother with DNS reverse-resolution
  • • iL filename - Take all IPs from the chosen input file (one address or network per line – networks specified in CIDR format 192.168.0.0/24 etc).
  • • p1-65535 - If the host is up, then TCP port scan all 65535 ports (or whatever you want to scan) – By default it does 1-1024 and also only well-known ports above 1024.