Scanning all ports using nmap takes way too long

HTB Content
,
1

I’m trying to answer the question that was asked in the “Getting Started > Service Scanning” module.
I need to perform nmap -p- <IP>, which is taking too long.

I’ve tried restarting the lab and my VPN multiple times, even using the -T 3 flag, but the speed has remained the same.

Am I doing something wrong here?

2

Hi @0x4149,

Could you supply a screenshoot to show the issue your are having?

If you add --vv to the end of your nmap command that will show you time remaing and progress and will show the verbosity.

Dependant on the amount of ports open (could be 65535 ports on both TCP & UDP) the scan can take a while.

By default nmap scans the top 1000 ports without the need to reference the -p- (all ports flag).

More context is needed!

Cheers,

Sqwd

1 Like
3

I’ve spent about 3-4 hours to scan the full range of ports.
I didn’t use -vv flag, apparently it is normal to take this long.

4

Have you tried Rustscan? Or Masscan?

5

the module is teaching us nmap, I don’t see any reason to use an alternative such as Rustscan. However, I’ve seen its very good performance.
Thanks for sharing

6

Gotcha. Wasn’t tracking you were doing a module. No worries!

7

The T flag regarding the speed the packets sent. -T 3 is not that fast. -T 4 is reasonable but not always correct.
Use the following flags to force your tool to send less packets, therefore, scan faster:

  • -Pn
  • --min-rate 9327 or 3000 by UDP scan

You can use nmap -h to figure out why those flags are useful.

1 Like
8

Hi,

reading nmap’s docs (#rtfm) it looks like you would like to check those 2 flags for scan:
– -max-retries (with 1?)
– min-rate 120 (windows?)

Also: in this (kind of) case (you’re talking about) I’ll try to check ‘fast default portscan’ (so -F) and then try to ‘specify’ the ‘range’ I’m lookking for.

Hope that helps.

Good luck!

1 Like
9

Don’t scan all the ports at once. I think some kind of timeout works on the machine to prevent scanning a large number of ports at once. Scan 1500 ports at once. Then the next block of 1500 and so on. Anything more than 1500 and it would start taking longer. That is how I got around this timeout.

10

I find using the -min-rate with a 1000 or so on most ‘first tries’ works for me to get a result in under 3 minutes.

sudo nmap -min-rate 1000 -sV -sC {IP address or URL} -p-

Hope that helps.

1 Like
11

There is an issue if it takes that long. If there is no issue, you just have a very, very bad connection overall.