Quick Port Scan Tip

I see too many people using a full nmap scan on release day which takes ages. Often times first blood is claimed by the pros while people still have scans running.

Using masscan, you can scan all TCP and UDP ports in roughly 2-3 minutes.

masscan -p1-65535,U:1-65535 10.10.10.x --rate=1000 -e tun0

-p1-65535,U:1-65535 tells masscan to scan all TCP/UDP ports
--rate=1000 scan rate = 1000 packets per second
-e tun0 tells masscan to listen on the VPN network interface for responses

Once you have a list of valid ports from masscan, you can feed them to nmap for service enumeration. For example, if masscan finds ports 80, 443 and 3306 open, the nmap command would be:

nmap -sV -p80,443,3306 10.10.10.x

That’s it! Waaaaaay faster than a regular nmap scan at T5. Just note that you should not go above 1000pps with masscan, as it can miss ports if it is set too high. If you find masscan is missing ports, try lowering your scan rate to 200-300. This generally is caused by a low quality or low speed connection to the VPN.

3 Likes

More details on the technical differences between the two tools : Advanced NMap Techniques - Hak5 2415 - YouTube

Great tip. Just the push I needed. I just installed it on my Parrot VM and it is performing well already.

Another way to scan faster is to ssh to another box and then install nmap there and you can do “nmap -p- host” and in a few seconds or minutes you’ll have the results and then you can use -sV or other options on those ports

Thanks for masscan tip!

I’ve been referencing this consistently since this came across my eyes, and it’s been immensely helpful.

Thank you Arrexel!

So why just not type --min-rate=1000 argument for nmap TCP SYN scan? (-sS) and maybe max-retries=1 (or 2)
Something like this:

nmap -T5 --open -sS -vvv --min-rate=1000 --max-retries=2 -p- -oA full-ports 10.10.10.x

Seems there is no difference.

1 Like