nmap 에 이런 기능도 있었군요.

포트 스캔중에 오픈 소스로 가장 많이 사용하는 것중에 nmap이 있죠..그런데 약간 특이한 기능도 있군요..

아래 참고 하시면 되겠습니다..

Having recently spent some time working with Nmap for an upcoming course, I noticed that there is room for speed improvements in many of our Nmap commands. For example, the following command:

nmap -A -p 80 192.168.1.0/24

can be run in a similar manner, but in half the time. The goal of the above command is to gather the service fingerprint of all web servers in your environment. This is valuable information, and especially useful when looking for "interesting" services running on port 80, like botnet controllers. So, as a speed test lets run the above command against the most port scanned system in the world:

# nmap -A -p 80 scanme.insecure.org

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:41 EST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 14.204 seconds

The first command option "-A" tells Nmap to execute an OS fingerprint in addition to a service fingerprint for all ports specified. In this case we are specifying port 80 with the "-p 80" option. Since we only told Nmap to detect one port, it will only ever find one port to be open, hence the complaint from the OS fingerprinting engine "OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port". To cut the scan time in half, use the following command:

# nmap -sV -T4 -n -p 80 scanme.insecure.org

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-20 13:54 EST
Interesting ports on 205.217.153.62:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.2 ((Fedora))

Nmap finished: 1 IP address (1 host up) scanned in 6.948 seconds

The first change we made was replace the "-A" with "-sV". This tells Nmap to only do service fingerprinting and not OS fingerprinting. We then added the "-T4" command option, which tells Nmap to use "aggressive" timing options. The "-T4" is really like a macro for other, more advanced, Nmap command line options such as "--max-rtt-timeout" which refers to how much time Nmap will wait for responses. The "-T4" is a good place to start to speed up a scan. The "-n" flag tells Nmap to ignore host name resolution (even though it will do this much faster since 3.97-Shmoo). We can see that by making these three small changes our scan time went from "14.204 seconds" to just "6.948 seconds". This is a HUGE time saving when attempting to scan a class C or class B network.

링크: http://www.pauldotcom.com/2006/11/20/nmap_for_speed_freaks.html

80 포트를 통하여 A 옵션을 사용하면 봇넷 같은 것도 찾을수 있나 봅니다...-T4 옵션은 타임아웃을 설정 할수 있어 스피드를 더 높일수 있습니다.. 참고 하시기 바랍니다..