Nmap - scanning large networks

One of the major probles when using Nmap is the time it takes to perform a scan increases depending on

  • number of hosts.
  • number of ports
This article provides a simple solution for scanning large networks.

Firstly - How Namp works

NMAP works by first identifying if a host is up and if it is it then scans it. If it determines the host is not up then it doesn’t bother scanning. The –P0 bypasses this “host-up” check and makes it think that all hosts are up. The other method is to tell it how to perform the “host-up” check with –PE and –PS options (also a few more but these are the interesting ones).
  • -PE = Send an ICMP ping and if you get a response then the host should be considered as up.
  • -PS = Send a TCP SYN to the specified port(s) and if you get a response (e.g. TCP RST or TCP SYN ACK), then the host should be considered as up. If either of the above respond then the host is considered as up.
For example:

Nohup nmap –PE –PS80,443,8080,6000,22,23 –T Aggressive –oA results –n –iL filename-containing-hosts-or-networks –p1-65535

  • -PE = Send an ICMP to help determine if host is up
  • -PS80,443,8080,6000,22,23 = Send TCP SYN to all the above ports, if you get a SYN ACK or RST back then host should be considered as up
  • -T Aggressive = go fast mode (may need to reduce if over slow network)
  • -oA results = save all output into file results.gnmap, results.xml, results,nmap etc (saves in all formats)
  • -n = don’t bother with DNS reverse-resolution
  • -iL filename = Take all IPs from the chosen input file (one address or network per line – networks specified in CIDR format etc).
  • -p1-65535 = If the host is up then TCP port scan all 65535 ports (or whatever you want to scan) – By default it does 1-1024 and also only well-known ports above 1024.