
Ultimate Nmap Scan - richrines
http://richrines.com/post/10886870567/ultimate-nmap-scan
======
slow
Wow really, spoofed Macs, fragmented packets...for what? Stealth? LOL no way
not with all those flags enabled.

nmap -sS -F -P0 1.2.3.4 is all you need for a scan, maybe sometimes a -sV and
-O thrown in. Change the rtt settings if things are taking forever (i.e.
heavily firewalled hosts).

Just cause nmap has a million options doesn't mean you should use them all.
Don't worry after a couple hundred scans in the wild you'll figure this out
yourself.

tptacek- Yeah sorry bro, we don't go and make our own tools every time
something isn't just quite perfect, I don't have the time...got a real life.

~~~
tptacek
A good way to make sure you never have to make your own tools on projects is
to make fun of the very idea that you might every once in awhile make your own
tools. I agree: you should probably just keep using nmap.

------
tptacek
... or, "why I can't stand nmap, and more often than not end up writing a
trivial port scanner with EventMachine every time I need to do this."

~~~
soult
… or, "I'll just build my own hammer instead of using this toolbox filled to
the brim with all kinds of tools."

I could spend a minute (or two because I don't know EventMachine well) coding
that port scanner like you did in [0], or I could just type "nmap -p 1-65535
host". I think you are suffering from not invented here syndrome.

0: <http://news.ycombinator.com/item?id=2317547>

~~~
tptacek
Come on. If that just worked, you don't think I'd do it? I've got as much NIH
in me as the next nerd, but did you read anything I wrote in that thread, or
even this article?

Run that all-ports nmap against a firewalled (read: any) corporate network
sometime and time it against the one-minute EventMachine script.

I'm sure there's some combination of nmap flags that slaughters EventMachine,
but I can't be bothered to figure them out, because if I just use the script I
can also pump my output to the exact output format I need.

I get it, by the way. You like nmap. Everyone likes nmap. Mostly. I know I'm
not the only professional security person who gets frustrated with it, and I
think it's interesting how not-hard it is to substitute for it if you can code
even a little bit.

~~~
soult
Your script sequentially scans ports 1 to 65535 of a given host. My nmap
command line does the same. Fair comparison in my opinion. Of course nmap has
more complicated command lines, but then again, your script would be a lot
longer too if you wanted more complicated features.

Yes, you are a security professional and you don't like nmap, and you have met
others who feel the same way. The reason nmap is so popular is because there
are security professionals who do not share your opinion. And judging by the
popularity of nmap, there are a lot of them.

~~~
tptacek
My script will in many circumstances outperform "yours", because nmap's
default settings suck against networks that have firewalls.

That's why I brought it up.

I am not on a mission against nmap. I've met Fyodor a couple times. He's a
smart guy. In fact: I even like nmap; I just think it has outgrown its role as
a port scanner.

I do think it confirms a commonly held suspicion about "security" people when
they recoil in horror over ~40 lines of code "reinventing the wheel" on one of
the industry's hairiest tools. "Oh my god! Code!"

What I should have done is come up with a new acronym for it and then charged
$30,000 for a pilot deployment to use it.

