01.14.08
Port Scanner Challenge: And the Winner is?
The other day I posted raw data comparing nmap, PortBunny and Unicornscan... I thought today I'd provide some of my thoughts on what the data shows us.
In the end I scanned 5 hosts running a variety of operating systems and I think I gave a fairly decent small scale spread and one initial comment I'd like to make is on the scanning of the HP LaserJet 4MV... While not all scanners found all the ports, they were all able to scan it... which I found fairly impressive... especially considering I've crashed it numerous times in the past playing with advanced options in port scanners and packet creation programs.
Now for the anlysis... Was there a winner? At first I didn't think so... but once I created the graph it became fairly evident that there was. Before I declare the winner... let's take a look at what we saw.
Unicornscan
I was fairly impressed with unicornscan the first time it ran... at least from a speed standpoint. That is until I ran nmap and PortBunny. While unicornscan (on a standard scan, default ports) was able to provide consistent speeds... it was clear that on systems with fewer open ports... there was a huge disadvantage in the design of unicornscan... The consistent speeds were still occurring. If we look at my shell box for example (Ubuntu 6.06 PPC on an old 350Mhz iMac), we see that unicornscan took what appears to be a respectable 9.2 seconds. However, nmap took only 1.5 seconds and PortBunny was less than a second at 0.7 seconds.
The full port scan also didn't bode well for unicornscan. On two hosts, the printer and the gateway, it failed to find any open ports... These are both slower systems (the older printer, and a soekris 486 for the gateway) so perhaps they couldn't keep up with the speed of the scan... or perhaps unicornscan was scanning too fast even for itself.
In the end, after seeing the results of nmap and PortBunny I was rather unimpressed with unicornscan.
nmap
I was quite impressed with nmap. During the default scan it tied PortBunny with lowest number of missed ports (of course this is due primarily to the various scanners default port list) and on a full port scan, it was the only scanner to find all open ports. In addition to having the lowest miss port rate... it boasted the fastest times... coming in 17.5 minutes faster than PortBunny on a full port scan, and 16 seconds faster on a default scan.
Additionally when I provided nmap with the '-T5 --max-retries 0' options, it blew PortBunny out of the water... it missed two additional ports over PortBunny on one of the 5 hosts, however the time difference was 5.3 seconds to 74 seconds... nmap was 68.7 seconds faster.
PortBunny
Given all the hype surrounding PortBunny and the fast that is is a "Linux Kernel-Based Port Scanner" (which is supposed to work to it's benefit), I was expecting great things... instead I was seriously disappointed. There wasn't a single scan where PortBunny fully out performed nmap... You have to set nmap to get ridiculous scan speed (scanning "almost too fast") in order for PortBunny to even manage to find more ports than nmap and then it takes ~15 times longer to find those 2 extra ports... Without those "almost too fast" options, nmap still performs faster than PortBunny and with more accuracy.
There was one host where PortBunny was able to outperform nmap, however that was with nmap doing a default scan... when timing options were adjusted, once again PortBunny failed to beat nmap.
Decision
When I started this challenge, I wasn't sure what the outcome would be... the only prediction I had was that unicornscan would be defeated by both PortBunny and nmap. This proved to be true... Between nmap and PortBunny, due to the hype around PortBunny and the claims that I had seen... I really wasn't sure. I expected it to be a close battle between the two... at most a TKO... but in the end it was a straight-up KO and in reality PortBunny was never really a contender.
