Re: Nmap questions for the experts

[Ron <ron () skullsecurity net>]

Hi Mark,

mark mark wrote:
> Hi,
>
> I have some questions regarding nmap. I'm not sure if this is the
> proper list, i just searched google and found some people asking
> nmap-related questions here. Anyway, here are my questions:
nmap has its own mailing lists (nmap-dev, nmap-hackers), you can find 
those on insecure.org.

> 1. Is there any way I can specify two different source port for nmap's
> -g when doing a TCP and UDP scan at the same time? Usually, I specify
> -g 53. However, I think it would be more effective if I will use port
> 20 (ftp) as my TCP source port, and just use port 50(DNS) as my UDP
> source port. I tried specifying both but only the latter port was used
> by nmap.
I'm pretty sure there's no way, perhaps you can run it as two seperate 
scans? I generally run TCP and UDP scans seperate, they're different 
enough that I use different options (especially timing). I also like to 
have the opportunity to have a snack and get a good night sleep while 
-sU is running. :)

> 2. Do you really use nmap before running nessus? I just read the
> methodology in our report template and read that the reason why nmap
> is being used before nessus is because it lessens the amount of work
> done by nessus in doing port scanning. Only open ports will be fed to
> nessus for vulnerability assessment. However when doing security
> assessment, I noticed that most of pentesters rely heavily on nessus
> and just completely forget about nmap since nessus can also do port
> scanning and os fingerprinting as well.
Personally, when doing a (noisy) pen-test, I use both, often 
concurrently. I like the automated feel of nesses that'll give me a 
quick summary, but I also like the hands-on feeling that I can only get 
from nmap -sV (and among other options).

> 3. Is there any way I can specify a file which contains a list of
> ports that I want to exclude from my scan? I've read the nmap manual
> and learned that by default it scans for upto 1024 + all those higher
> numbered ports listed in nmap-services. After running a scan, I wanted
> to scan all the ports up to 65535 but I don't want to include all
> those ports that have already been scanned by nmap.
Hmm, interesting question. I know you can exclude hosts, but I don't 
think there's an option to exclude ports!

Although the time it takes to run the ~1400 "interesting" ports should 
be pretty minimal compared to the other ~63000.

> 4. Do you also use host discovery that heavily using all combinations
> of techniques or you just don't do host discovery at all (-PN)?
> I notice that most of my collegues ignore host discovery totally,
> while I prefer doing it extensively (all techniques), so that I can
> decrease the port scan time yet with a reliable result (not missing a
> host protected by firewall).
Hard to say, there. I like being on a subnet and doing the arp sweep, 
since that one is almost guaranteed to find everything. But remotely, I 
think it's best to strike a balance -- if you're going to skip 
discovery, limit the initial scan do a dozen common ports. Otherwise, 
with firewalls, you might be waiting a very long time.

> 5. Sometimes I encounter error saying "Negative Time Delta...
> QUITTING" and tried searching google but couldn't find anything
> useful. Any idea what's the cause of it? After getting that error i
> just simply run the scan again and it would start working fine again.
I believe I read somewhere that that's a bug on certain operating 
systems, and that it's fixed now (not sure if it's made it into a 
released version or if it's still in the repository).

> 6. Anyone experiencing this error "nselib not a directory" when
> running the script scan?
Not me!

> That's all for now..
> thanks for your replies.
>
> -mark
Hope that helped. I recommend the nmap-hackers list.