0

I am trying to scan a full subnet (10.0.0.0/8) using nmap. I am using the command nmap –v –sn 10.0.0.0/8. I specifically just want to detect active hosts without scanning ports because I thought that would speed up the process. However when I do this it doesn’t seem to move fast at all. So far I am up to 8 hours in the scan and I am nowhere near close to finishing. Is there a quicker way to scan the entire subnet to look for active hosts using nmap?

schroeder
  • 123,438
  • 55
  • 284
  • 319
MiskatonicGraduate
  • 1
  • 1
  • 1
  • 1

2 Answers2

3

I would like to throw in that the link provided by user ximaera omits some information.

Using a scan like this

nmap -T5 -n --max-parallelism=255 --min-parallelism=100 -sn 10.0.0.0/8

could trip up some security mechanisms, because it can look a bit like a ping flood and it does not necessarily offer an increase in speed.

I would suggest omitting the parallelism options and scanning like this 

nmap -T5 -n -sn 10.0.0.0/8
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
Robert Riedl
  • 130
  • 6
  • A network scan by itself could trip up some security mechanisms, because there are appliances which intentionally detect, report and block network scanners. My assumption is that the author has all the permissions to do what he wants to do. If his activity is not sanctioned by the security personnel, what's the point in showing him ways to avoid being detected? – ximaera Jan 16 '18 at 21:35
  • True, the point I was trying to make was that he might be blocked, unnecessarily, automatically. Also, with a ping check alone, I haven't been able to see noteworthy speed increase with parallelism. In my personal experience -T5 was enough. – Robert Riedl Jan 16 '18 at 21:47
  • Oh, I see. Added a few notes to my answer, thanks. – ximaera Jan 17 '18 at 00:06
2

This has been answered before, on a different site though.

What's probably most important for you is that Nmap assumes by default that your network may be affected by scans, and starts with all the high timers and low counters which are then refined during the scan. If you're sure that your network (including the last mile towards your scanning machine) is rather stable and powerful, and there are no security appliances on the way that would rate limit (or even ban) you during the scan (or if there are any, then you'd be able to switch them off), you can play with those counters and timers to achieve pretty good results.

Options probably most important for you are:

  • -T5 or -T4
  • --max-retries: as low as 2 or 3 should be fine, assuming a local network
  • --min-hostgroup: in year 2018, feel free to use something close to 2048 or above
  • --min-parallelism: something like 8 would probably be fine

Values above are taken from my personal experience. Your mileage may vary.

Note that the answer I've linked to above also mentions --max-parallelism, which is an option not to speed up but to decrease the speed. Be careful about that.

That said, for a reference, a /8 IP network has 16777216 addresses. Nmap performance may still not be a good fit for you, but there are tools designed for that particular task, though they require some effort to set them up.

ximaera
  • 3,395
  • 8
  • 23