Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about randomize-hosts and -PS

From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Sep 2006 18:01:30 -0700
On Thu, Sep 21, 2006 at 04:57:22PM -0400, Douglas F. Calvert wrote:

Hello,
  I am using randomize-hosts and -PS80,443,3389 and I noticed that
nmap will randomize the order of the hosts but it does not randomize
the ports and hosts. For example nmap does something like:

scanner:12345 -> host1:80
scanner:12345 -> host1:443
scanner:12345 -> host1:3389
scanner:12344 -> host2:80
scanner:12344 -> host2:443
scanner:12344 -> host2:3389


Nmap does randomize the port order -- you just got lucky that the
three ended up as 80, 443, then 3389.  Try again with --packet-trace
and you may get a different order.  But it is true that the (shuffled)
order is the same for each target during a single Nmap scan.  I
haven't seen many cases where using a different port order for each
machine matters much.

As for the hosts, Nmap doesn't complete one host and then move to the
next one.  But it does deal in groups of ports sometimes.  In this
case there were only 3 ports scanned per host, so Nmap basically shot
them all off at once and the hosts appeared to be handled
sequentially.  But try doing a 30+ port scan against maybe a dozen
hosts and I think it will look much more random.  Also, be sure you
are using Nmap 4.11 or one of the 4.20ALPHA releases.


I also noticed that nmap appears to use the same tcp.src port and/or
very similar src.port for the host discovery process. Is there a
reason for this? Am I missing an obvious switch to change this
behavior?


You can of course set the port number with -g.  But it is more
efficient for Nmap to us a small set of port numbers for each run,
since that makes it easier to determine whether returned packets are
related to the Nmap run.  A somewhat random set of source port numbers
is generated for each Nmap run though.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: