Nmap (http://www.insecure.org/nmap) is the most popular network scanner widely used and misused. Most people tend to ignore the various "switches (options)" and only use the default parameters. It is possible to prioritize SPEED or STEALTH in nmap scans but i'll mainly be talking about maximizing SPEED.
I'll demonstrate this by scanning localhost i.e. my own computer via loopback address. (127.0.0.1) via a non root user :
[d00m@localhost d00m]$ nmap -v 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:44 EST Host localhost.localdomain (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:44 Adding open port 631/tcp Adding open port 6000/tcp Adding open port 25/tcp The Connect() Scan took 0 seconds to scan 1659 ports. Interesting ports on localhost.localdomain (127.0.0.1): (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 631/tcp open ipp 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.585 seconds
Time taken for default scan = 0.585 seconds
Now time to improvise the speed by using "-P0" switch to disable ping query before scanning target :
[d00m@localhost d00m]$ nmap -v -P0 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:51 EST Host localhost.localdomain (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:51 Adding open port 631/tcp Adding open port 6000/tcp Adding open port 25/tcp The Connect() Scan took 0 seconds to scan 1659 ports. Interesting ports on localhost.localdomain (127.0.0.1): (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 631/tcp open ipp 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.248 seconds
Time taken = 0.248 seconds
Previous time taken = 0.585 seconds
Now by also using "-F" switch we can further reduce scan time. Now what this switch does is only scan for popular network services on popular ports (listed in nmap-services file) instead of scanning all the TCP/UDP ports.
[d00m@localhost d00m]$ nmap -v -P0 -F 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-21 23:55 EST Host localhost.localdomain (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against localhost.localdomain (127.0.0.1) at 23:55 Adding open port 631/tcp Adding open port 25/tcp Adding open port 6000/tcp The Connect() Scan took 0 seconds to scan 1217 ports. Interesting ports on localhost.localdomain (127.0.0.1): (The 1214 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 631/tcp open ipp 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.229 seconds
The time difference isn't significantly different but remember that i am scannning my own computer ..NOT a host in the LAN or the Internet. The time difference will be more significant then.
However the downfall is that improving speed means compromising stealth.
Some final tips :
- www.ping2me.com offers online nmap scans
- Also exploer the "-T" switch. Check out nmap's documentation for further details.
