Trace /8 address space with nmap


I'm trying to sketch out a network topology map using the following command

nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO -oX topology.xml --traceroute

( because no one knows what's on there right now, that's part of the reason why I'm running this project)

Obviously this takes forever. So I'm wondering if I can get some advice on how to speed things up? There should be no more than 300 hosts there, but no one even knows how exactly subnets are divided in the range, so I don't know if there's a better option than scanning the whole network.

Thanks in advance!

Best Answer

I have some ideas to speed up your Nmap scan, but first I want to address the real problem: You have a private LAN with 300 hosts on, and you need to find all the hosts that are up. Ping-scanning should be your last resort, since there are more reliable (and faster) sources of information within a network.

  1. Router and switch configurations. These will not show much information about individual hosts, but they will show information about subnets.

  2. DHCP server logs. This won't get everything, because a host could be configured with a static IP address, but it will give you a good start. At the least, the DHCP server configuration will tell you what subnets are dynamically assigned.

  3. Packet captures from your network devices. Use the span ports or port mirroring on your switches to capture traffic for a day or two. This should show all the addresses that are in use.

  4. Physical tracing. If you have a decent physical boundary of the extent of the network, you can find your network devices and start tracing cables. If network stability is not critical, start unplugging things and see who complains. :)

  5. ARP scanning. You have a lot of different layer-3 probes in your Nmap command, but Nmap's layer-2 ARP host detection is unbeatable if you're on the same layer-2 broadcast domain. This is because a host cannot receive a layer-3 probe without first responding to the layer-2 ARP request, divulging its MAC address. This will require multiple scans (probably one from each switch), but it is the most thorough scanning option.

Now, as to why your Nmap scan is taking so long, there are a lot of things to consider. First, understand that Nmap is thorough. It will not give up on an address until all the host-discovery probes you selected have timed out. Selecting more probes (-P* options) will give more accurate results, but will also make your scan slower. Nmap's default probe set (-PE -PS443 -PA80 -PP, or -PR when local) strikes a good balance, and I wouldn't tweak it much.

Other optimizations would be increasing the timing template from default -T3 to -T4. This should be fine for any LAN, but I would probably not go all the way to -T5. You could also gain some time by skipping reverse-DNS name resolution with -n. Finally, I would highly suggest upgrading to the most recent version of Nmap, which is currently 6.40 (July 2013).