Nmap Development mailing list archives
Re: question about randomize-hosts and -PS
From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Sep 2006 18:01:30 -0700
On Thu, Sep 21, 2006 at 04:57:22PM -0400, Douglas F. Calvert wrote:
Hello, I am using randomize-hosts and -PS80,443,3389 and I noticed that nmap will randomize the order of the hosts but it does not randomize the ports and hosts. For example nmap does something like: scanner:12345 -> host1:80 scanner:12345 -> host1:443 scanner:12345 -> host1:3389 scanner:12344 -> host2:80 scanner:12344 -> host2:443 scanner:12344 -> host2:3389
Nmap does randomize the port order -- you just got lucky that the three ended up as 80, 443, then 3389. Try again with --packet-trace and you may get a different order. But it is true that the (shuffled) order is the same for each target during a single Nmap scan. I haven't seen many cases where using a different port order for each machine matters much. As for the hosts, Nmap doesn't complete one host and then move to the next one. But it does deal in groups of ports sometimes. In this case there were only 3 ports scanned per host, so Nmap basically shot them all off at once and the hosts appeared to be handled sequentially. But try doing a 30+ port scan against maybe a dozen hosts and I think it will look much more random. Also, be sure you are using Nmap 4.11 or one of the 4.20ALPHA releases.
I also noticed that nmap appears to use the same tcp.src port and/or very similar src.port for the host discovery process. Is there a reason for this? Am I missing an obvious switch to change this behavior?
You can of course set the port number with -g. But it is more efficient for Nmap to us a small set of port numbers for each run, since that makes it easier to determine whether returned packets are related to the Nmap run. A somewhat random set of source port numbers is generated for each Nmap run though. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- question about randomize-hosts and -PS Douglas F. Calvert (Sep 21)
- Re: question about randomize-hosts and -PS Fyodor (Sep 21)