Coping Strategies for Long Scans (2024)

A comprehensive security audit will need to include UDP and TCPscanning of all 65,536 ports for each protocol, usually with -Pn justin case a machine is up but heavily filtered. Yet fewer than 100 ofthose port numbers are commonly used and most hosts are responsivewith moderate host discovery options. So specify -F to perform a quick scan popular ports on known-online hosts first. That lets you analyze the online hosts and mostof the open ports while you start the huge -Pn scan of all TCP and UDPports with version and OS detection in the background. Short cutoptions for speeding up the quick scan are discussed in the section called “Omit Non-critical Tests”. Once the slow scan is done,compare it to the earlier results to find any newly discovered hostsor ports.

In many cases, the most frustrating aspect of long scans is having no idea when they will complete. Nmap is now more helpful than it used to be in that it provides regular scan time estimates as long as verbose mode (-v) is enabled.

# nmap -T4 -sS -p0- -iR 500 -n --min-hostgroup 100 -vStarting Nmap ( https://nmap.org )Initiating SYN Stealth Scan against 29 hosts [65536 ports/host] at 23:27[...]SYN Stealth Scan Timing: About 0.30% done; ETC: 09:45 (10:15:45 remaining)

Example6.2 shows us thatthe SYN scan is likely to take ten hours and eighteen minutes (23:27to 9:45) to scan 29 hosts. So the total time Nmap will spend scanningthe network can be roughly extrapolated by multiplying 21 minutes perhost by the number of hosts online. If version detection or UDP arebeing done as well, you'll also have to watch the timing estimates forthose.

Another option is to wait until Nmap has fully completedscanning its first group of hosts. Then extrapolate the time taken forthe size of that set over the size of the entire target network. Thisis simpler because you don't need to worry about individual scancomponents. Basing your estimates on the number of target IPaddresses finished versus the target IP space size can be misleading,as online hosts are rarely evenly distributed among that IP space.They are usually found in clumps, often near the beginning of the IPspace. So if the scan itself includes host discovery (i.e. no-Pn option), a more accurate measure is to ping scanthe entire network first and then base your estimates on the number ofonline hosts Nmap has completed scanning versus the number foundonline by the ping scan.

While occasional estimates are printed automatically in verbose mode, you can always request the current estimate by pressing <enter> (see the section called “Runtime Interaction”). If the estimate is within your timeframe, you can schedulesomething else to do while it proceeds. That beats checking whetherNmap is done every 20 minutes. An estimate showing that Nmap won'tfinish on time is even more valuable. You can immediately work onoptimizing the scan or lengthening the engagement. Your options aremuch more limited if you only determine the scan is too slow after thedeadline passes and Nmap is still running.