Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the quick nmap scan Feature request #47

Open
T3rm1nal23 opened this issue Sep 7, 2021 · 2 comments
Open

Change the quick nmap scan Feature request #47

T3rm1nal23 opened this issue Sep 7, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@T3rm1nal23
Copy link

Scans may be faster if the quick punched scan added the -Pn flag and used --top-ports 500 (or whatever number makes sense), and then the hosts that are found to be up with that scan were only scanned with the aggressive scan.
@defektive
Copy link
Collaborator

The quick nmap scan is designed to find all open ports. that are then passed to a more aggressive scan to determine the host OS and service banners. I think we should add a few commands to the discover phase

nmap -sn -PS80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900 
nmap -sn -PA80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900

@defektive defektive added the enhancement New feature or request label Dec 18, 2021
@defektive
Copy link
Collaborator

not really a fix, but I've been adjusting my workflow to not run individual nmap scans on the hosts. instead, I've been:

  • run as-host-discovery against the desired scope.
  • run as-port-scan-tcp.tengo incremental against the active hosts file generated by as-host-discovery

example:

echo 10.0.28.0/24 > scope-ips.txt 
echo 10.0.29.0/24 >> scope-ips.txt
echo 10.0.3.0/24 >> scope-ips.txt
as-host-discovery scope-ips.txt

You can configure what ports are used by nmap for host discovery via arsenic config

arsenic config discover.top-tcp-count 500
arsenic config discover.top-udp-count 100

You can also configure the timing profile used.

arsenic config discover.timing-profile 5

Once this process is complete, you'll have some new scope-*-active-* files. this is where as-port-scan-tcp.tengo incremental comes in. you can perform TCP scans in batches, default is 500 ports at a time. the script will scan popular ports first, then fill in the rest removing ports already scanned.

as-port-scan-tcp.tengo incremental -s scope-ips-active-ipv4.txt

once the first batch is done you can use arsenic analyze --nmap to create host dirs based on hosts with open ports. you can re-run analyze as you get more data back. I also use nex to merge incremental nmap xml files to a single nmap.xml , then split the merged file out to the host directories.

nex merge recon/nmap-tcp-incremental-500-scope-ips-active-ipv4-txt-*.xml
nex split -p nmap-merge -n nmap-punched-tcp --ignore-nmap --ignore-gnmap

this has significantly reduced my time to scan results. Hopefully this process will be baked in to the discover and recon processes, so there is less manual effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@defektive @T3rm1nal23