Rule of thumb for security testing enumeration-- straight out of OSSTMM 2.5 RED-- (warning - this is a RULE OF THUMB which means your mileage may vary but it's pretty accurate to start planning or baseline) Based on blackbox enumeration and port scanning (ICMP all request types, TCP/UDP 64k ports, various protocol application and network level types based on ICMP response ACLs, and various enumeration techniques as outlined in the OSSTMM). This should be about equivalent with running a vuln scanner like ISS with "Scan if Ping Fails" option running. 48 hours for each /24 at 12 hops of 64Kb bandwidth. Add 1 hour per /24 for every hop greater than 12. For less than 12 hops consider flood control timing to balance rule or else calculations are unreliable. Divide by (digital and upstream/downstream balance) bandwidth because increasing bandwidth decreases time proportionally where smallest bandwidth is maximum calculated size. Example: Scanning 3 /24 networks at 18 hops with a 256Kb line Now assuming my math isn't hindered by lack of sleep: 48 hours per /24 = 144 hours add 1 hour per hop per /24 over 12 hops = 144 + 6 * 3 = 162 divide for bandwidth = /(256 / 64) = /4 total = 162 / 4 = 40.5 hours Less than 2 days for enumerating 3 /24s is about right. Anyways, it works pretty well for me. If 16 hours for vuln scans seems long for you then I recommend you take shortcuts and enumerate once and make an IP list of systems and commonly found ports to feed into the scanner. Actually, it sounds more like an internal scan - or just a router or three away from you. Even then, a good firewall will slow a scan down considerably. You just need to feed me more info for more accuracy. Sincerely, -pete. > -----Original Message----- > From: Mark Phillips [mailto:markat_private] > Sent: Thursday, May 29, 2003 15:27 PM > To: pen-testat_private > Subject: Scanning - anyone got ball park timings? > > > Hi, > > What are peoples experiences of time scales when scanning ranges of hosts? > OK, so I know that's a "how long is a piece of string", but if people can > say what sort of times they're getting for a given size of IP range and > given type of scan, that would be helpful. > > I've been running a "SANS 20" policy scan from ISS Internet Scanner 7, > across the Internet, and am seeing timings like 16 hours for 1700 > addresses found. Is this realistic? Is this quick or slow? If it's slow, > do people have any hints and tips about how to speed up the whole process? > > Any pointers muchos appreciated. > > Cheers, > > --Mark > > > ------------------------------------------------------------------ > --------- > ------------------------------------------------------------------ > ---------- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 13:58:09 PDT