- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
We are going to start with Kali Linux running.
Warning:
If you are scanning from an office, make sure you are off WiFi and plugged into the ethernet for a direct line connection. WiFi traffic is often more filtered for less accurate results. If you adjust networking settings while a VM is live, you may find yourself having to pause and then restore the VM for networking operations to work as intended.
Requirements:
zmap
nmap
metasploit (with Armitage if you want GUI for simplicity)
Commands:
If you do not care about noise, you should run the above scans maybe 10 times. Just throw the scan into a .sh file and loop it ten!
Why? I don't fu**ing know to be entirely honest. It's scanning 1,000,000 IPs pretty damn fast, maybe that is why. One could argue "Just tweak the scan configurations." Yeah but then too much and the scan slows way damn down, too little and you still end up missing hosts. We want damn near perfect accuracy, eh? ZMap is picking apart the bones, we can rescan subnets with Nmap for thoroughness.
Hint: When looping, add seconds to the filename or you know what happens. Waste of time overwriting!
Another option you have is to keep scanning until you start to see:
A difference here, because now our scan is overlapping. Is this a perfect science? No, creative af I know but maybe it could be an option to balance out odds unless you are having a bad luck kind of day or only can possibly detect a single host lol.
Sometimes people ask me to do crazy sh*t like scan EVERY single host for 3389 ports. What most people fail to realize, this shit can take a really long time and I am impatient.
So I would rather loop scans until we have some mapped out subnets, we can look for patterns y'know?
So I scanned about 20 times, came out with... ACTUALLY fu**. Have you ever tried scanning over 2,000,000 hosts with Nmap? Sh*t is real slow m8.
I decided to try something a little different! Let's try https://github.com/zmap/zmap/wiki/Rate-Limiting-and-Sampling and btw this random Tim Rice guy seems smart https://kb.help.rapid7.com/discuss/59b320ac8f40290010c16c6f I mean Edward Sheehy. Hell, guys seems pretty smart: https://www.linkedin.com/in/edsheehy/ definitely a visionary.
Okay, even adding "-r 9001" did not seem to help much if any.
Okay, I found the solution then, in my Nmap vs ZMap guide here.. I realized I should just fu**in' benchmark the two scans for a 3389 scan on the 172.
Nmap:
10.740s for Nmap.
ZMap's scan guide details setting a "wait time" for receiving over here. Without using this, the default wait is 8 seconds.
ZMap:
4.34s for ZMap
It is important to note both Nmap and ZMap were finding the same number of hosts when targeting such a small subnet. Where ZMap becomes less accurate is when it begins scanning through ~100,000 hosts RAPIDLY where Nmap would be gasping for air to keep up.
The scan speed becomes exponentially different though, as we increase target hosts. Let me showcase this!
Here are some results from ZMap to demonstrate how we can find areas on the network to further inspect.
Referencing this list over here https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks we can assume X.22 and X.21 are areas of focus on this unspecified network.
255.255.0.0 (/16) makes sense then for X.22 then X.21, let's do this to have a faceoff between Nmap and ZMap for accuracy and speed:
ZMap
Came back with 5.35s and found a hitrate of 0.03% or... 22 hosts. Running again results in varying results.
Nmap's turn
I am noticing right away, ZMap went in like lightning and found some hosts listening on port 3389. My primary complaint is going to certainly be accuracy, again this makes sense because we scanned 65,536 hosts in 5 seconds. The Nmap method is already over a few minutes in and I have a lot of time to wait - tick tock tick tock time to listen to Ke$ha and rip my eyes out.
The other annoyance with Nmap is never have any fu**ing clue how much time is left in a scan because it chunks apart the scans to 1024, 2048, ~4,000 or however many it feels like. It's some sort of automated method and while I may be able to tamper around with the settings, I feel like there is nothing I can do in my power to expedite these Nmap scans. It is just impractical to expect a "highly reliable" tool give me speed. Zmap, Masscan, Unicornscan are for speed and can be accurate if tuned finely for example modifying retries, capping the bandwidth used for a scan e.g. we could "-B 1M" which may greatly increase scan time but return a greater number of hosts. For example, ZMap may scan in 10 minutes and gather 200 hosts across a certain subnet where Nmap will still be chugging along for at least 50 minutes. I get accuracy is important, but should you really have to wait a damn hour to discover Windows hosts with RDP enabled? Come the f*** on, let's go!! (Remember I am impatient sometimes)
I have to be, because customers get impatient and want "security now", not tomorrow.
... okay so Nmap is still going (over an hour and a half later). I am actually just going to leave my motherf**king laptop here, running - whatever.
I'll clean this documentation up a lot tomorrow to make it more simple/professional.
Consider this a public/rough draft.
Quality content being refined soon.. thanks for your patience! 28,672 hosts scanned in Nmap in about 1:35:22 - that is kind of a long time considering ZMap can breeze through these with some tweaked settings with decent results in less than 20 minutes.
Warning:
If you are scanning from an office, make sure you are off WiFi and plugged into the ethernet for a direct line connection. WiFi traffic is often more filtered for less accurate results. If you adjust networking settings while a VM is live, you may find yourself having to pause and then restore the VM for networking operations to work as intended.
Requirements:
zmap
nmap
metasploit (with Armitage if you want GUI for simplicity)
Commands:
Code:
cd ~
mkdir scanHosts
cd scanHosts
mkdir 10 172 192
zmap -p3389 172.16.0.0/12 -o ~/scanHosts/172/p3389-$(date -d "today" +"%Y%m%d%H%M").list
zmap -p3389 192.168.0.0/16 -o ~/scanHosts/192/p3389-$(date -d "today" +"%Y%m%d%H%M").list
zmap -p3389 10.0.0.0/8 -o ~/scanHosts/10/p3389-$(date -d "today" +"%Y%m%d%H%M").list
cat */* | sort
If you do not care about noise, you should run the above scans maybe 10 times. Just throw the scan into a .sh file and loop it ten!
Why? I don't fu**ing know to be entirely honest. It's scanning 1,000,000 IPs pretty damn fast, maybe that is why. One could argue "Just tweak the scan configurations." Yeah but then too much and the scan slows way damn down, too little and you still end up missing hosts. We want damn near perfect accuracy, eh? ZMap is picking apart the bones, we can rescan subnets with Nmap for thoroughness.
Hint: When looping, add seconds to the filename or you know what happens. Waste of time overwriting!
Another option you have is to keep scanning until you start to see:
Code:
cat * | wc
cat * | uniq | wc
A difference here, because now our scan is overlapping. Is this a perfect science? No, creative af I know but maybe it could be an option to balance out odds unless you are having a bad luck kind of day or only can possibly detect a single host lol.
Sometimes people ask me to do crazy sh*t like scan EVERY single host for 3389 ports. What most people fail to realize, this shit can take a really long time and I am impatient.
So I would rather loop scans until we have some mapped out subnets, we can look for patterns y'know?
So I scanned about 20 times, came out with... ACTUALLY fu**. Have you ever tried scanning over 2,000,000 hosts with Nmap? Sh*t is real slow m8.
I decided to try something a little different! Let's try https://github.com/zmap/zmap/wiki/Rate-Limiting-and-Sampling and btw this random Tim Rice guy seems smart https://kb.help.rapid7.com/discuss/59b320ac8f40290010c16c6f I mean Edward Sheehy. Hell, guys seems pretty smart: https://www.linkedin.com/in/edsheehy/ definitely a visionary.
Okay, even adding "-r 9001" did not seem to help much if any.
Okay, I found the solution then, in my Nmap vs ZMap guide here.. I realized I should just fu**in' benchmark the two scans for a 3389 scan on the 172.
Nmap:
Code:
time nmap -p3389 --unprivileged -Pn --open -oG - 10.22.151.* | grep "/open" | awk '{ print $2 }' > wicked.list
ZMap's scan guide details setting a "wait time" for receiving over here. Without using this, the default wait is 8 seconds.
ZMap:
Code:
time zmap -p3389 10.22.151.0/24
Code:
time zmap -p3389 -c3 10.22.151.0/24 -o wicked2.list
It is important to note both Nmap and ZMap were finding the same number of hosts when targeting such a small subnet. Where ZMap becomes less accurate is when it begins scanning through ~100,000 hosts RAPIDLY where Nmap would be gasping for air to keep up.
The scan speed becomes exponentially different though, as we increase target hosts. Let me showcase this!
Here are some results from ZMap to demonstrate how we can find areas on the network to further inspect.
Code:
10.22.239.58
10.22.240.129
10.22.240.211
10.22.240.55
10.22.240.80
...
Referencing this list over here https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks we can assume X.22 and X.21 are areas of focus on this unspecified network.
255.255.0.0 (/16) makes sense then for X.22 then X.21, let's do this to have a faceoff between Nmap and ZMap for accuracy and speed:
ZMap
Code:
time zmap -p3389 -c4 10.22.0.0/16
Nmap's turn
Code:
time nmap -p3389 --unprivileged -Pn --open 10.22.0.0/16
I am noticing right away, ZMap went in like lightning and found some hosts listening on port 3389. My primary complaint is going to certainly be accuracy, again this makes sense because we scanned 65,536 hosts in 5 seconds. The Nmap method is already over a few minutes in and I have a lot of time to wait - tick tock tick tock time to listen to Ke$ha and rip my eyes out.
The other annoyance with Nmap is never have any fu**ing clue how much time is left in a scan because it chunks apart the scans to 1024, 2048, ~4,000 or however many it feels like. It's some sort of automated method and while I may be able to tamper around with the settings, I feel like there is nothing I can do in my power to expedite these Nmap scans. It is just impractical to expect a "highly reliable" tool give me speed. Zmap, Masscan, Unicornscan are for speed and can be accurate if tuned finely for example modifying retries, capping the bandwidth used for a scan e.g. we could "-B 1M" which may greatly increase scan time but return a greater number of hosts. For example, ZMap may scan in 10 minutes and gather 200 hosts across a certain subnet where Nmap will still be chugging along for at least 50 minutes. I get accuracy is important, but should you really have to wait a damn hour to discover Windows hosts with RDP enabled? Come the f*** on, let's go!! (Remember I am impatient sometimes)
I have to be, because customers get impatient and want "security now", not tomorrow.
... okay so Nmap is still going (over an hour and a half later). I am actually just going to leave my motherf**king laptop here, running - whatever.
I'll clean this documentation up a lot tomorrow to make it more simple/professional.
Consider this a public/rough draft.
Quality content being refined soon.. thanks for your patience! 28,672 hosts scanned in Nmap in about 1:35:22 - that is kind of a long time considering ZMap can breeze through these with some tweaked settings with decent results in less than 20 minutes.
Last edited: