To set a different throttle rate, you can use
-T
and a value from 0–5. The default value
is
-T 3
. You might go lower than that if you want to be polite by limiting bandwidth
used, or if you are trying to be sneaky and limit the possibility of being caught. If you
don’t care about being caught and you want your scan to go faster, you can increase
the throttle rate.
Although there are other types of TCP scans, these ones will get you good results the
majority of the time. Other scans are meant for evasion or firewall testing, though
they have been well-known for many years at this point. We can move on to doing
UDP scanning using nmap. You can use the same throttle rates as with the TCP scan.
You will still have the retransmission issue, even if you are going faster. It will be
faster than a normal scan if you increase the throttle rate, but it will be slower than,
say, a TCP scan. You can see the output from a UDP scan in
Example 3-17
.
Example 3-17. UDP scan from nmap
root@rosebud:~# nmap -sU -T
4
192.168.86.0/24
Starting Nmap 7.60
(
https://nmap.org
)
at 2017-12-30 20:31 MST
Nmap scan report
for
testwifi.here
(
192.168.86.1
)
Host is up
(
0.0010s latency
)
.
Not shown:
971
closed ports,
27
open|filtered ports
PORT STATE SERVICE
53/udp open domain
5351/udp open nat-pmp
MAC Address: 18:D6:C7:7D:F4:8A
(
Tp-link Technologies
)
The TCP scan of all the systems on my network took 86 seconds,
just less than a minute and a half. The UDP scan took well over
half an hour, and this was on a local network.
Although
nmap
can do port scanning, it has other capabilities. For instance, you can
have it perform an operating system detection. It does this based on fingerprints that
have been collected from known operating systems. Additionally,
nmap
can run
scripts. These scripts are called based on ports that have been identified as being open
and are written in the Lua programming language. Although scripts that come with
nmap
provide a lot of capabilities, it’s possible to add your own scripts as needed. To
run scripts, you tell
nmap
the name of the script you want to run. You can also run a
collection of scripts, as you can see in
Example 3-18
. In this case,
nmap
will run any
script that has
http
as the start of its name. If
nmap
detects that a common web port is
open, it will call the different scripts against that port. This scan request will catch all
the web-based scripts that are available. At the time of this run, that is 129 scripts.