Posted by Tate Hansen
Thu, 27 Dec 2007 19:36:00 GMT
I’m happy to report our growing experience using unicornscan for large discovery sweeps is a positive one. Our confidence in using this tool has increased and it is now our preferred weapon of choice for scanning large IP swaths.
To recap: We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.
This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.
Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.
Tech note: We avoided problems with table overflows and other like issues by placing the systems directly on the internet and with iptables turned off.
Tags ClearNet, ClearNet Security, nmap, port scanning, scanning, security, Tate Hansen, unicornscan | no comments
Posted by Tate Hansen
Mon, 15 Oct 2007 04:10:00 GMT
We’ve hit a new high. We’ve soaked ourselves in a bandwidth bath on behalf of a client whom would like us to discover active services across a range of six public /16 blocks plus some scattered /17s, /24s, etc. The range is close to a total of 400,000 IPs.
We started out with five dual Xeon systems running 20 to 40 instances of nmap, each tuned, and each instance targeting 64 IPs. This client wants the job completed in weeks, so we decided it was a good time to get more experience with unicornscan.
By luck, we tapped into a Danish provider that is allowing us to push 55Mbits/s. I have no idea how much that amount of bandwidth would normally cost, especially if sustaining it 24x7 for a few weeks, but I’m guessing it is way over $10,000. Our client would allow us to go up to 100Mbits/s, alas, our luck doesn’t go that far.
Anyway, we now have faster dual-core systems each pushing ~25 Mbits/s via unicornscan like so:
sudo nohup /usr/local/bin/unicornscan -mT -p –r25000 -vv xxx.zz.0.0/16:a -w unicorn.output.for.xxx.zz..0.0.fullTCP > unicorn.output.fullTCP &
We have lots of results from nmap; so far unicornscan is matching the nmap results. Having the ability to specify packets per second with unicornscan is super nice.
We’ll create a follow up post on how all our scanning worked out on this gig when we’re finished (sometime in late November).
Tags ClearNet, ClearNet Security, nmap, port scanning, Tate Hansen, unicornscan | no comments
