Nmap scan time

Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?

I’d suggest running nmap always with -vvv so that you get as much output on the way as possible. Other than that, you can also press SPACE to get a status update.

@cronta44 said:

Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?

Did you run ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) first?

I am not a huge fan of this approach to using nmap, I get that it feels like it has sped up the process but it generates an awful lot of errors.

You might be better using:

nmap -Pn -sC -sV -p- -vvvvvvv --reason --min-rate=1000 -T4 -oA all_tcp 10.10.10.27

(ymmv)

Type your comment> @cronta44 said:

Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?

I agree with @Homesen that the verbose can help. I just personally think that out-of-the-box it clutters the screen so much it becomes hard to read and limits what other information you could gather in the mean while.
And I like the direction of what @TazWake is suggesting.

These are the first two stages of my nmap scan. I have 5 stages in total, but just to give a hint:

–code start

ip=10.10.10.27; sudo nmap --top-ports 100 -oA scantop100 $ip && sudo nmap -sC -sV -p grep -oP "^[0-9]*" scantop100.nmap | tr "\n" "," | sed 's/.$//' -oA scantop100 $ip;

–code end

This will give you a first result in probably under 3 seconds and list the versions of the services in probably under a minute.

So after 3 seconds you can start to do some manual poking and after a minute you can come back to your scan to find the scripts and versions results.

Mind you

This is only scanning the top 100 ports, which is far from a complete scan. So I do not recommend using this without all other stages that should follow. Here’s what I do after that:

What I end up with is one command, I fire it

  • After 3 seconds I see a first result
  • Ater a minute it googled for all known vulnerabilities of the found services for the top100 ports
  • After about half an hour, I have a list of all ports (and I see it potentially faster, since it runs verbose)
  • After about between half an hour to an hour, depending, It tested pretty much all nmap vulnerability scripts against all known ports

It’s just one command that runs by itself in the background and it keeps building, while I do my manual work.

I hope this can inspire you to think in terms of having both ‘fast’ results and ‘complete’ results.
The only way you can have both is to think in terms of ‘stages’, a command that continuously builds more results, but focuses on the most important things first.

In that department I find tutorials often misleading. They ‘happen’ to do a full scan if some mystery port is used and do only fasts scans when they know there’s no exotic ports… in the real world, you need a process that covers everything, always. But you can make it so that it doesn’t keep you waiting for results. Best of both worlds.

Good luck!

Type your comment> @gnothiseauton said:

Thanks for sharing this agenda I’m definitely going to try this next time

Awesome suggestions and I love seeing how people built their own workflows.

One thing I’d add, and it really does depend on the environment/objective etc, but its good to know the what responses nmap gets. If you are doing a SYN scan (which I assume almost all of these will be) there is a difference between RST and no-response. If you only look for nmap’s assumption of open (SYN/ACK), you might miss this.

Caveat it only actually matters in some edge cases and I dont think I’ve ever seen an HTB box where it mattered.

Thank you all of you for the suggestions! Will try it. P.S, @TazWake that’s the mistake I did. I didn’t ran the command you told. Thanks a lot!