Port scanning taking forever

scraps · October 28, 2017, 6:20pm

Does port scanning take an unreasonable long time for anyone else?

I’m trying a basic all ports scan against sneaky, but it’s taking forever:

root@wallis:~# nmap -p- 10.10.10.20

Starting Nmap 7.50 ( https://nmap.org ) at 2017-10-28 23:53 BST
Stats: 0:12:52 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 6.13% done; ETC: 02:23 (3:17:07 remaining) Stats: 0:12:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 6.15% done; ETC: 02:23 (3:17:31 remaining)

It does this for all hosts in the lab for me - I’m struggling with my enumeration as I can’t scan all ports on a host.

If it’s not considered cheating, could anyone PM me an nmap -p- -A of sneaky please?

Paradoxis · October 28, 2017, 6:24pm

Not sure if it’s allowed, but pop a root shell on one of the other machines, download & install a pre-compiled nmap binary for that system and run it from there; the VPN might be a serious bottleneck

game0ver · October 28, 2017, 6:28pm

Generally an nmap scan takes time, especially when the -p- option is specified. I usually use -T4 ( or rarely -T5) option to speedup the scan. Both options assume that you are in a fast network of course (however these options should not always be used).

CodeNinja · October 29, 2017, 2:09am

Here is my tip →

First scan → nmap --open --top-ports 100 -sC -sV ip

Second Scan → nmap -p1-100 -sC -sV ip,
then -p101-200 and so on [I know these is time consuming but you can write script for this purpose]

Third Scan → nmap -p- -sC -sV -v ip

Four Scan → nmap -p- -sC -sV ip & then use wireshark to analyze all ports

0b5cur17y · October 29, 2017, 10:55am

imho ist most of the time sufficient to stick with nmap defaults and scan the 1000 most common ports. if I don’t get anywhere I sometimes try to scan more, but it rarely got me anywhere

Agent22 · October 29, 2017, 11:14am

use masscan for check open ports this is faster than nmap …after that use nmap with -T4 -sC -sV -O -p

likwidsec · October 29, 2017, 1:03pm

For my initial scan I usually use “nmap -T4 -A -oA nmap ”. Use that info as a basis for what to do next, and while using other tools, launch a more in-depth nmap scan. Something like “nmap -sS -sC -sV -A --reason --privileged -vv -oA nmap ” - yes, I know that “-sC and -sV” are included with the -A flag, but I like to specify both because who really knows EXACTLY what -A does? Just to cover my bases…

Feel free to ask for clarification on anything.

scraps · October 29, 2017, 6:07pm

I actually tried with the -T4 option after reading this thread. It was still slow, but a bit better. Thanks!

Just for info, my usual order of battle is:

nmap -sn <target subnet> -oG > alive_hosts (then various grep, awk and sed to get this into a useable format for below

nmap -sS -iL alive_hosts

This will generate a list of alive hosts and the top 1000 open ports

Then if I’m going to focus on any of them, it will be something like:

nmap -p- -A -T4 <IP_Address>

Arrexel · October 30, 2017, 7:12am

Running a quick scan to start is a good idea. Once that is done, start a full scan while you check out what the first scan found. The majority of boxes only have services found with the quick scan, so it should be good in most cases.

Winfox · June 22, 2018, 7:43am

I know its almost been eight months since this thread was active but I find it funny that I ran into this issue working on my first machine ever. Of course my first machine would happen to be Chatterbox which doesn’t listen on the 1000 most common and nmap -p- is needed. -___- 17.52% done with 1:28:38 remaining.

Meatex · June 22, 2018, 8:14pm

Use these 2 switches for much much faster scans

–min-rtt-timeout 500ms --min-rate 2000
Match the first one to your top ping and play with rate until get no errors

Frey · June 22, 2018, 8:55pm

Download this script : https://raw.githubusercontent.com/Alamot/code-snippets/master/enum/htbscan.py

python htbscan.py < ip > 500 it will adjust the threshold speed, masscan will get you fast the Ports you are looking for, and after that the nmap will analyse them for specific versions and services running under the specific ports.

in3vitab13 · April 5, 2020, 5:27am

Type your comment> @Arrexel said:

Running a quick scan to start is a good idea. Once that is done, start a full scan while you check out what the first scan found. The majority of boxes only have services found with the quick scan, so it should be good in most cases.

i used nmap -p- -v -Pn -sS -T5 10.10.10.174 on my first go…its stilll taking ridiculously long time!! any way to tackle!?
thank you for your time!