This article was first published on the blogger's public account LISTONE, welcome to pay attention!
Today, I participated in the risk assessment project of a certain unit. Before the risk assessment, I need to collect information on the target. I used msf to detect the surviving hosts on the two target network segments. Then I found that there are 70 surviving hosts. Scanning the surviving host port, this step delayed me a lot of time at the beginning, and finally searched for various information, found a kind of parameter setting that can greatly improve the speed of nmap scanning, share it here, hope you are in Zhujun It can be helpful when used.
The following picture is the actual scanning effect. We can see that it took only 12.41 seconds to scan 70 IPs.
I think this speed is many times faster than the default. The following are my scan parameter settings:
sudo nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -oG result.txt -iL ip.txt
Briefly explain:
-sS: Use SYN to scan, the default is -sT, which is TCP, which requires a complete three-way handshake, which is more time-consuming and SYN is faster
-Pn: Disable PING detection, which is fast, and can prevent some hosts from being pinged and being missed and not scanned;
-n: unknown function;
–Open: output only the ports whose detection status is open, that is, open ports;
–Min-hostgroup 4: adjust the size of the parallel scan group;
–Min-parallelism 1024: adjust the parallelism of the probe message;
–Host-timeout 30: skip detection timeout
-T4: There are T0-T5 in total, it seems that T4 is a compromise
-v: print detailed scanning process
-oG: The output is in a more user-friendly format, one record per line, and it is easy to handle later
-iL: load ip segment file, batch scan, no need to execute one by one.
