Nmap Development mailing list archives
Nmap's default ports
From: doug () hcsw org
Date: Sun, 30 Jul 2006 04:14:37 -0700
Hi nmap-dev, One potential Summer of Code project that Fyodor has asked me to work on is to discover the popularity of different internet services and to add an Nmap option, say, --top-ports which will cause Nmap to scan the N most common ports. Fyodor has told me that he feels that the popularity of different services should be used as guidelines for Nmap's current default scanning behaviour and the -F scanning behaviour. For example, Nmap could by default scan --top-ports 1000 and -F could scan --top-ports 200 (could also differ between TCP and UDP). The idea is to figure out which ports are the most common so that they are tried more frequently in scans and less common ones tried correspondingly less frequently. I've drafted a sort of basic proposal and I would appreciate comments from the Nmap user community. Also, in the future we may ask you, the Nmap user community, to execute some custom scans on your personal/corporate/academic/etc networks in order to help us determine the popularity of different ports. These custom scans would, of course, strip all identifying information from the results and we would set up a way for you to contribute anonymously (if you want). Thoughts and experiences on this are also most welcome. As most of you are probably aware, the current Nmap default scanning behaviour is to scan all ports from 1-1024 and all higher ports listed in the nmap-services file. When -F is specified, Nmap simply scans all ports listed in this file. The perceived problems with this are: o -F (fast scan) really isn't that much faster than a normal default scan (with 4.20, TCP: 1239 vs 1680, UDP 1016 vs 1487). The default scan perhaps (?) scans too many ports as well. There are probably services listed in the nmap-services file that are so uncommon that they definitley shouldn't be scanned for by default. o By some registration fluke, both TCP and UDP ports are registered for many protocols even if the service only ever uses one protocol. HTTP and many others that exclusively use TCP have listed UDP ports and protocols like NTP that only use UDP have listed TCP ports. This probably means that, often, many ports are being needlessly scanned. o Granularly choosing a port range for Nmap is perhaps currently too limited: It's either the default, -F, a custom -p list, or a modified nmap-services file. Consider an organisation-wide scan that simply takes too long. One choice, trading off completeness for speed, is currently more difficult than it needs to be. Of course, there are a number of complications: o How do we know which services are the most common? Are services consistent across countries? Regions? ISPs? Organisations? Will the currently most-popular ports be the most popular forevermore? Probably not. Any decision made on the "commonness" of different services will have to be arbitrary. o People are used to Nmap's current behaviour. Changing this will probably confuse and irritate many users. Worse yet, people unaware of the change might unknowingly miss certain important services. o This change will break the common practise of customising the nmap-services file as an easy way to specify which ports to scan (though a new method of cusomisation will probably be created). Here is what we are thinking: Let's enhance the current nmap-services file or create some sort of new nmap-frequencies file that represents how common different ports are. The current format of the nmap-services file is as follows: ... domain 53/tcp # Domain Name Server domain 53/udp # Domain Name Server http 80/tcp # World Wide Web HTTP http 80/udp # World Wide Web HTTP ... We currently are considering a number of possible methods of adding the frequency information to Nmap's database. 1) An addition to the nmap-services file that includes frequency information. Perhaps like so: ... domain 53/tcp 602 # Domain Name Server domain 53/udp 21933 # Domain Name Server http 80/tcp 87621 # World Wide Web HTTP http 80/tcp 0 # World Wide Web HTTP ... Nmap would scan the N ports with the highest numbers in the frequency column. Nmap could be made backwards compatible so that it could still use /etc/services and older nmap-services that don't contain the frequency column. This has the advantage that people could still customise their nmap-services file with relative ease. 2) We leave nmap-services alone (or possibly eliminate it) in favour of another file, nmap-frequencies. This file could be an ordered list of port frequencies. Perhaps like so: # TCP: http 80/tcp # World Wide Web HTTP ssh 22/tcp # Secure Shell Login ftp 21/tcp # File Transfer [Control] ... # UDP: domain 53/udp # Domain Name Server ntp 123/udp # Network Time Protocol ... Customisation of this file is even easier - though slightly different from the previous method. The disadvantage is that we don't get a relative sense of frequency between 2 different ports (we could, though this would introduce a maybe difficult to maintain redundancy). As this is a signifigant change to Nmap, I hope this is well thought out by everyone who cares and is well discussed so as to (hopefully) avoid any future problems. Doug
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap's default ports doug (Jul 30)
- Re: Nmap's default ports Fyodor (Jul 30)
- <Possible follow-ups>
- Nmap's default ports 4N9e Gutek (Jul 30)
- Re: Nmap's default ports Thierry Zoller (Jul 30)
- Re: Nmap's default ports Brandon Enright (Jul 30)