Script to execute multiple nmap scans
- Login o registrati per inviare commenti
While gathering data on multiple PTR records I found that I could
expedite the process by subdividing large CIDR blocks, for example:
CIDR/20 ===> CIDR/22 | CIDR/22 | CIDR/22 | CIDR/22
Putting the task another way:
Oct04.Oct03/0.0/20 = Oct04.Oct03.0.0/22 plus Oct04.Oct03.4.0/22 plus Oct04.Oct03.8.0/22 plus Oct04.Oct03.12.0/22
because the inevitable empty IPv4 addresses introduce big latencies; i.e.,
large scans stall unless I isolate the empty CIDR blocks.
I can proceed through a long list of CIDR blocks at about the optimal rate
this way if I limit the scans to ca. a thousand IPv4 addresses with each
nmap scan by simply keeping a number of terminal windows at work at the same time.
I'm now faced with a number of really large CIDR blocks, such as /16, /15 ... /8 for
which I need to prepare a script of the form:
awk {i=0; ++i; while [i<=NF]; do sudo nmap -arguments {$0 in }0/24 > nMap-{$0 in }0-24.txt}
where SourceFile contains the principal subdivisions:
`Oct04.Oct03.Oct02.`
`Oct04.Oct03.Oct02.`
...
`Oct04.Oct03.Oct02.`
Additional CIDR/16 blocks can easily be generated from the first, 64-row sourcefile
in Leafpad.
But this approach stalls without even prompting me for a password ...
George Langford
The AWK program makes little sense (the loop never terminates because i is not altered in it, it is not used at all in fact, the loop should probably be "for (i = 0; ++i <= NF; )", command lines to execute from a AWK program should be in argument of "system(...)", etc.).
Nevertheless, I very much doubt your approach ("keeping a number of terminal windows at work at the same time") is reasonable. I imagine one single execution of 'nmap' (or maybe of another command), with the proper input, can probably do most if not all you are trying to achieve. However, I do not really understand what it is and I do not know 'nmap' either. I just took a look at the beginning of the description in 'man nmap' ("It was designed to rapidly scan large networks") and at its examples (most of them deals with hundreds or more of IP addresses at once).
Magic Banana wonders whether I should just be going after one CIDR/16 rather than 64 CIDR/22's.
Most of the large CIDR blocks whose PTR's and port status I'm querying have a lot of empty
IPv4 addresses near the beginning or near the end, with interesting stuff near the middle, so
they take nearly forever to scan. After subdivision, I get quick responses from some and
stalled responses from others, which I can terminate after a few minutes.
I've had as many as ten terminal sessions open at once without any interference; the ability
to switch workspaces in trisquel is a big advantage that lets me multiply the available screen
space by a factor of four.
There's an argument "--host-timeout : Give up on target after this long" but with
256 times 256 = 65,536 targets to scan, and a one second timeout, that could still "limit"
my scan of a /16 address range to several hours. One cooperative CIDR/22 block has 1024
addresses and takes a couple of minutes to return data. That one second timeout wouldn't let
nmap give up until twenty minutes have passed. I worry that a shorter timeout would abort
too many otherwise useful scans ... A proper script would show progress as a list of output
files, one for each /22 scan.
Again: I do not know Nmap. However, taking a new look at the documentation, it looks like you want to use option --min-hostgroup with a large value (maybe 256, 512 or 1024).
Again, Magic Banana's input is positive & welcome.
Re-running this scan:
sudo nmap -sS -p3389 -T4 --host-timeout 300 CIDR/14 > ASN-CIDR-14.txt
which found 180138 hosts up in 8939.46 seconds (finished ca. 13:00 EST)
Followed a few hours later by:
sudo nmap -sS -p3389 -T4 --host-timeout 300 --min-hostgroup 25 CIDR/14 > Test-CIDR-14.txt
which found 172711 hosts up in 6525.34 seconds (finished ca. 15:00 EST)
Also the enhanced nmap scan found a few more open ports 3389 (108 vs. 97).
Addresses that timed out in the first scan are absent in the second scan,
but were resolved to their PTR's nevertheless, which can be an advantage.
Adding --host-timeout enabled me to gather 100MB of addresses & PTR's
in around four hours without resorting to subdivision of their CIDR's.
You probably want an even higher argument. 'man nmap' says (about --min-hostgroup and --max-hostgroup):
The primary use of these options is to specify a large minimum group size so that the full scan runs more quickly. A common choice is 256 to scan a network in Class C sized chunks. For a scan with many ports, exceeding that number is unlikely to help much. For scans of just a few port numbers, host group sizes of 2048 or more may be helpful.
Progress !
There is a way to run nmap on a list of CIDR blocks, using -iL and an
inputfilename, but it's slightly slower for a subdivided CIDR block than
for scanning the block as an entirety.
nmap does periodically save the output file, so there is some progress feedback.
I haven't worked out a way of subdividing the output files anyway ...
Setting a timeout is done with --host-timeout
and that makes a huge difference:
Timeout...Hosts up.........Scan time....Open ports 3389
1 sec .... 259 ............ 31 sec ....... none
10.........4022 ............ 296 ............ 7
30.........8248 ............ 808 ............ 37
100.......11394 ........... 1788 .......... 96
Setting the aggressiveness with -T4 (fast)
Timeout...Hosts up.........Scan time....Open ports 3389
30 sec ....9699 ............ 809 ............ 39
100 .......11280 ........... 1320 ........... 92
Doing the nmap scan directly on the CIDR/16 block without
subdivision as well as setting the -T4 aggressiveness:
Timeout...Hosts up.........Scan time....Open ports 3389
30 sec ....9650 ............ 794 ............ 49
100 .......11379 ........... 1472 ........... 93
The main casualty of using the timeout feature is that the
counting of open ports 3389 is adversely affected, but the
hostnames of "timed-out" addresses are resolved anyway.
With ten terminals open at one, that works out to about
three minutes per CIDR/16 block with timeouts of 100 sec
and -T4 aggressiveness, which gives good progress of my
task of counting duplicated PTR hostnames.
- Login o registrati per inviare commenti