Update: I was going through some notes for a certification I once took, and just remembered that a NMAP UDP scan, is limited to sending 1 packet per second on Linux, which is also why you should separate your TCP and UDP on large networks.
If you configure the firewall on the target device to send ICMP Port Unreachable the UDP scan will of course be faster.
If you can use fewer ports to scan, it's a good idea too, and if possible, use several scanning machines. If you're on a wireless network, move closer to the router as this will also increase the scanning speed. (On a wired network, be close to the high-bandwidth backbone.)
That's pretty much some of the best advice I can give at the moment :)
blueaxis wrote:MeXe - Thank you very much for your inputs. So it appears the following strategy would be a good start.
1. Pick a host, scan for all TCP ports. Of course with timing options enabled.
2. Repeat step 1 for all the remaining hosts.
3. Pick a host, scan for all UDP ports.
4. Repeat step 3 for all the remaining hosts.
5. Selectively run -sV after analyzing results from step 1 through 4.
Does that sound correct?
Hmm...as I am writing this a question pops.
How do I manage the output? database? text file? greppable format?
Thanks in advance!
No problem, however, you do NOT use step 1 and 3, because different computers, has different ports open. So either you scan for the most commonly used ports or services you want to find, such as telnet, snmp, etc., or you scan all ports on all hosts.
Scanning one host and then applying this to all other hosts, will not give you a realistic picture, as a Windows machine may have port 135, and 445 open, while Linux will not unless Samba is installed. On a lot of linux equipment on the other hand, you may find port 22 and 80 open, while on Windows equipment, often but not always 3389 (RDP). Therefore you cannot just scan one host and repeat the same process for all hosts ;)
You can run -sV selectively, for example on targets that appears to be servers as they're often more critical to the business than clients containing no valuable data, e.g. they may not pose a huge risk compared to a full database full of classified information stored on a server. During each pentest, you should always try to identify where the highest risk is for the company, and attack that. If you were the company, would you loose money if one regular and low privileged client is compromised, compared to a highly-privileged client or a server? :) Therefore you must prioritize if you're doing this all by yourself and you don't have infinite time.
If you're just doing an assessment and you're not going to exploit any services (aka pentest the network), then you should scan all hosts to identify the blacksheeps. The scanning will of course take a lot longer time, but since your goal is not to get 100 shells most likely, then you'll be fine. However, wherever you're planning this scan, find out whether you're going to break into the services, or just map the network and its services for e.g. a vulnerability assessment.
You can output it into various formats, including grepable format, xml format, normal output and even a few more. There are a few tools that will create reports for you as well, that you may feel trying out.
If you're going to scan the open services later on, find out which formats e.g. Nessus or Nexpose supports, so you can export the results from NMAP into that, and import it directly into those vulnerability scanners.
You can also go through it manually, which I've done on networks between ~30-60 hosts. The more hosts, the longer time, even though you'll quickly be able to spot anomalies that shouldn't be there, but if you're good with regex and grep, use that ;D