Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[suggestion] [nmap] Add total number of hosts to scan in status output #1663

Open
cnotin opened this issue Jul 18, 2019 · 3 comments

Comments

@cnotin
Copy link

commented Jul 18, 2019

When Nmap is running, we can press a key to see the current scan stats:

Stats: 1:56:42 elapsed; 131600 hosts completed (2716 up), 128 undergoing Script Scan

In my opinion, one thing would be nice to have here: the total number of hosts to scan. For example here, if I launched the scan on 172.16.0.0/12 (1 048 576 addresses), I would like to have something such as:

Stats: 1:56:42 elapsed; 131600 hosts completed (2716 up) over 1048576 (12,55% completed), 128 undergoing Script Scan

I have tried to implement it, but Nmap does not seem to have this information readily available.

My understanding is that the hosts to scan are computed in real time, when required for a new group of hosts for example, but not as a whole at the beginning of the scan so the total number is not known. It also seems that NSE scripts can output new targets according to this (in targets.cc) which further complicates the calculation:

/* Add any new NSE discovered targets to the scan queue */

@dmiller-nmap

This comment has been minimized.

Copy link

commented Jul 25, 2019

The difficulty is, as you said, that Nmap does not have any idea at any given time how many hosts will be scanned. The issue is multiplicative:

  1. Target specifications may be read from a file or from STDIN, and the input may be very large (e.g. the Alexa top 1 million sites).
  2. A single target specification could expand to many different target addresses: example.com/24, 192.0.2.10-20, etc.
  3. DNS resolution has to be done for a target specification in order to know if it adds one (typical), none (address is wrong AF, excluded, or unresolvable), or many (user used --resolve-all) targets.
  4. NSE scripts can add targets they discover by querying services (e.g. NTP peers, NFS clients, etc.), and each target undergoes name resolution subject to the previous point.
@cnotin

This comment has been minimized.

Copy link
Author

commented Jul 25, 2019

Thanks for the additional info. I perfectly understand that it is complicated but it would be so nice!
I am wondering if having a total number that would change dynamically, during the scan, would be acceptable or a very wrong idea...

@dmiller-nmap

This comment has been minimized.

Copy link

commented Jul 25, 2019

Nmap already gets so much flak for dynamic timing estimates that I'm guessing we'd get more reports of "Nmap takes forever!" than would be worth it. However, it shouldn't be tough to calculate and include a "host completion rate" like N targets completed per hour or "average 2.5 minutes per target." I tend to think targets per time is better than time per target, since results come in big chunks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.