Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap's default ports

From: doug () hcsw org
Date: Sun, 30 Jul 2006 04:14:37 -0700
Hi nmap-dev,

One potential Summer of Code project that Fyodor has asked me to
work on is to discover the popularity of different internet
services and to add an Nmap option, say, --top-ports which will
cause Nmap to scan the N most common ports.

Fyodor has told me that he feels that the popularity of different
services should be used as guidelines for Nmap's current default
scanning behaviour and the -F scanning behaviour. For example,
Nmap could by default scan --top-ports 1000 and -F could scan
--top-ports 200 (could also differ between TCP and UDP).

The idea is to figure out which ports are the most common so that
they are tried more frequently in scans and less common ones tried
correspondingly less frequently. I've drafted a sort of basic proposal
and I would appreciate comments from the Nmap user community.

Also, in the future we may ask you, the Nmap user community, to execute
some custom scans on your personal/corporate/academic/etc networks
in order to help us determine the popularity of different ports.
These custom scans would, of course, strip all identifying information
from the results and we would set up a way for you to contribute
anonymously (if you want). Thoughts and experiences on this are also
most welcome.

As most of you are probably aware, the current Nmap default scanning
behaviour is to scan all ports from 1-1024 and all higher ports listed
in the nmap-services file. When -F is specified, Nmap simply scans all
ports listed in this file. The perceived problems with this are:

o -F (fast scan) really isn't that much faster than a normal default
  scan (with 4.20, TCP: 1239 vs 1680, UDP 1016 vs 1487). The default scan
  perhaps (?) scans too many ports as well. There are probably services listed
  in the nmap-services file that are so uncommon that they definitley
  shouldn't be scanned for by default.

o By some registration fluke, both TCP and UDP ports are registered for
  many protocols even if the service only ever uses one protocol.
  HTTP and many others that exclusively use TCP have listed UDP ports and
  protocols like NTP that only use UDP have listed TCP ports.
  This probably means that, often, many ports are being needlessly scanned.

o Granularly choosing a port range for Nmap is perhaps currently too limited:
  It's either the default, -F, a custom -p list, or a modified nmap-services file.
  Consider an organisation-wide scan that simply takes too long. One choice,
  trading off completeness for speed, is currently more difficult than it
  needs to be.

Of course, there are a number of complications:

o How do we know which services are the most common? Are services consistent
  across countries? Regions? ISPs? Organisations? Will the currently most-popular
  ports be the most popular forevermore? Probably not. Any decision made on the
  "commonness" of different services will have to be arbitrary.

o People are used to Nmap's current behaviour. Changing this will probably
  confuse and irritate many users. Worse yet, people unaware of the change
  might unknowingly miss certain important services.

o This change will break the common practise of customising the nmap-services
  file as an easy way to specify which ports to scan (though a new method of
  cusomisation will probably be created).


Here is what we are thinking:

Let's enhance the current nmap-services file or create some sort of new
nmap-frequencies file that represents how common different ports are.


The current format of the nmap-services file is as follows:

...
domain            53/tcp     # Domain Name Server
domain            53/udp     # Domain Name Server
http              80/tcp     # World Wide Web HTTP
http              80/udp     # World Wide Web HTTP
...

We currently are considering a number of possible methods of adding the
frequency information to Nmap's database.

1)

An addition to the nmap-services file that includes frequency information.
Perhaps like so:

...
domain            53/tcp    602     # Domain Name Server
domain            53/udp    21933   # Domain Name Server
http              80/tcp    87621   # World Wide Web HTTP
http              80/tcp    0       # World Wide Web HTTP
...

Nmap would scan the N ports with the highest numbers in the frequency
column. Nmap could be made backwards compatible so that it could still
use /etc/services and older nmap-services that don't contain the frequency
column. This has the advantage that people could still customise their 
nmap-services file with relative ease.


2)

We leave nmap-services alone (or possibly eliminate it) in favour of another
file, nmap-frequencies. This file could be an ordered list of port frequencies.
Perhaps like so:

# TCP:
http              80/tcp     # World Wide Web HTTP
ssh               22/tcp     # Secure Shell Login
ftp               21/tcp     # File Transfer [Control]
...
# UDP:
domain            53/udp     # Domain Name Server
ntp               123/udp    # Network Time Protocol
...

Customisation of this file is even easier - though slightly different from
the previous method. The disadvantage is that we don't get a relative sense
of frequency between 2 different ports (we could, though this would introduce
a maybe difficult to maintain redundancy).


As this is a signifigant change to Nmap, I hope this is well thought out by
everyone who cares and is well discussed so as to (hopefully) avoid any
future problems.

Doug



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: