Aaaaaargh, my port scan take forever to complete! Heard that one before? You should have, it is a common complaint often heard between CTF rookies. Today we are looking into some ways to mitigate slow scans.

Nmap

When looking at the various complaints, Nmap seem to be the culprit. Gamers bash it for being slow and whatnot. Is it that bad? No, it isn’t. It’s all PEBCAK. It’s all about knowing how to use Nmap. Let me tell you about how I use it:

When picking up a game, I divide my scans into two steps:

  1. Initial quick scan
  2. Port investigation

I first scan the entire port range just to find out what is open or not. Then I move on to investigate the ports which was found to be open.

Initial scan

I usually use this command:

nmap --min-rate 1000 --max-retries 5 -p1-65535 -Pn 10.10.10.20

The arguments are as follows:

Option Comment
–min-rate Send packets no slower than number per second
–max-retries Specify the maximum number of port scan probe retransmissions
-Pn Treat all hosts as online — skip host discovery

Port investigation

To save some time I enumerate only the open ports found.

nmap -A -sV -p22,3366 -Pn 10.10.10.20

The arguments are as follows:

Option Comment
-A Enable OS detection, version detection, script scanning, and traceroute
-sV Probe open ports to determine service/version info
-Pn Treat all hosts as online — skip host discovery

What about UDP?

Well, it’s a rarity in my opinion – but it is an important rarity, indeed! The above Nmap commands works well for UDP too! Just alter the commands to support UDP (add -sU switch).

Masscan

I picked this one up from playing over at Hack The Box.

masscan -p1-65535,U:1-65535 10.10.10.20 --rate=1000 -e tun0

Option Comment
-p1-65535,U:1-65535 Scan all TCP and UDP ports
–rate=1000 How many packets per second
-e ens33 Listen on this network interface for responses

 

Advertisements