Security Basics mailing list archives
Re: Nmap questions for the experts
From: Ron <ron () skullsecurity net>
Date: Wed, 30 Jul 2008 09:41:42 -0500
Hi Mark, mark mark wrote: > Hi, > > I have some questions regarding nmap. I'm not sure if this is the > proper list, i just searched google and found some people asking > nmap-related questions here. Anyway, here are my questions:nmap has its own mailing lists (nmap-dev, nmap-hackers), you can find those on insecure.org.
> 1. Is there any way I can specify two different source port for nmap's > -g when doing a TCP and UDP scan at the same time? Usually, I specify > -g 53. However, I think it would be more effective if I will use port > 20 (ftp) as my TCP source port, and just use port 50(DNS) as my UDP > source port. I tried specifying both but only the latter port was used > by nmap.I'm pretty sure there's no way, perhaps you can run it as two seperate scans? I generally run TCP and UDP scans seperate, they're different enough that I use different options (especially timing). I also like to have the opportunity to have a snack and get a good night sleep while -sU is running. :)
> 2. Do you really use nmap before running nessus? I just read the > methodology in our report template and read that the reason why nmap > is being used before nessus is because it lessens the amount of work > done by nessus in doing port scanning. Only open ports will be fed to > nessus for vulnerability assessment. However when doing security > assessment, I noticed that most of pentesters rely heavily on nessus > and just completely forget about nmap since nessus can also do port > scanning and os fingerprinting as well.Personally, when doing a (noisy) pen-test, I use both, often concurrently. I like the automated feel of nesses that'll give me a quick summary, but I also like the hands-on feeling that I can only get from nmap -sV (and among other options).
> 3. Is there any way I can specify a file which contains a list of > ports that I want to exclude from my scan? I've read the nmap manual > and learned that by default it scans for upto 1024 + all those higher > numbered ports listed in nmap-services. After running a scan, I wanted > to scan all the ports up to 65535 but I don't want to include all > those ports that have already been scanned by nmap.Hmm, interesting question. I know you can exclude hosts, but I don't think there's an option to exclude ports!
Although the time it takes to run the ~1400 "interesting" ports should be pretty minimal compared to the other ~63000.
> 4. Do you also use host discovery that heavily using all combinations > of techniques or you just don't do host discovery at all (-PN)? > I notice that most of my collegues ignore host discovery totally, > while I prefer doing it extensively (all techniques), so that I can > decrease the port scan time yet with a reliable result (not missing a > host protected by firewall).Hard to say, there. I like being on a subnet and doing the arp sweep, since that one is almost guaranteed to find everything. But remotely, I think it's best to strike a balance -- if you're going to skip discovery, limit the initial scan do a dozen common ports. Otherwise, with firewalls, you might be waiting a very long time.
> 5. Sometimes I encounter error saying "Negative Time Delta... > QUITTING" and tried searching google but couldn't find anything > useful. Any idea what's the cause of it? After getting that error i > just simply run the scan again and it would start working fine again.I believe I read somewhere that that's a bug on certain operating systems, and that it's fixed now (not sure if it's made it into a released version or if it's still in the repository).
> 6. Anyone experiencing this error "nselib not a directory" when > running the script scan? Not me! > That's all for now.. > thanks for your replies. > > -mark Hope that helped. I recommend the nmap-hackers list.
Current thread:
- Nmap questions for the experts mark mark (Jul 23)
- Re: Nmap questions for the experts Javier Reyna Padilla (Jul 24)
- Re: Nmap questions for the experts Ray Winata (Jul 25)
- Re: Nmap questions for the experts Ron (Jul 31)
- Re: Nmap questions for the experts Javier Reyna Padilla (Jul 24)