search

analog-substance / arsenic

Pentesting tool to automate common op tasks and organize discovered data.
MIT License
4 stars 2 forks source link

Change the quick nmap scan Feature request #47

Open T3rm1nal23 opened 3 years ago

T3rm1nal23 commented 3 years ago

Scans may be faster if the quick punched scan added the -Pn flag and used --top-ports 500 (or whatever number makes sense), and then the hosts that are found to be up with that scan were only scanned with the aggressive scan.

defektive commented 2 years ago

The quick nmap scan is designed to find all open ports. that are then passed to a more aggressive scan to determine the host OS and service banners. I think we should add a few commands to the discover phase

nmap -sn -PS80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900 
nmap -sn -PA80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900
defektive commented 11 months ago

not really a fix, but I've been adjusting my workflow to not run individual nmap scans on the hosts. instead, I've been:

example:

echo 10.0.28.0/24 > scope-ips.txt 
echo 10.0.29.0/24 >> scope-ips.txt
echo 10.0.3.0/24 >> scope-ips.txt
as-host-discovery scope-ips.txt

You can configure what ports are used by nmap for host discovery via arsenic config

arsenic config discover.top-tcp-count 500
arsenic config discover.top-udp-count 100

You can also configure the timing profile used.

arsenic config discover.timing-profile 5

Once this process is complete, you'll have some new scope-*-active-* files. this is where as-port-scan-tcp.tengo incremental comes in. you can perform TCP scans in batches, default is 500 ports at a time. the script will scan popular ports first, then fill in the rest removing ports already scanned.

as-port-scan-tcp.tengo incremental -s scope-ips-active-ipv4.txt

once the first batch is done you can use arsenic analyze --nmap to create host dirs based on hosts with open ports. you can re-run analyze as you get more data back. I also use nex to merge incremental nmap xml files to a single nmap.xml , then split the merged file out to the host directories.

nex merge recon/nmap-tcp-incremental-500-scope-ips-active-ipv4-txt-*.xml
nex split -p nmap-merge -n nmap-punched-tcp --ignore-nmap --ignore-gnmap

this has significantly reduced my time to scan results. Hopefully this process will be baked in to the discover and recon processes, so there is less manual effort.