Nmap Development mailing list archives
Re: Feature Request: --top-ports option for -PS when performing host discovery
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 20 Feb 2008 01:05:14 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not yet. This is something Doug has wanted for a long time. The list of "top" 50 ports is open for quite a bit of debate and varies quite a bit from institution to institution. The way I accomplish this sort of host discovery is to run two scans: nmap -P0 -T5 -p 7,9,13,17,21,22,.... -oG discov <targets> Then, I grep for 'open' in the log: egrep 'Host.*open' discov.gnmap | awk '{print $2}' | sort | uniq > list.txt Then I use the list as input into another Nmap scan: nmap -iL list.txt ... Now that Nmap has gotten the mass-ping-migration this can be combined into one long list on -PS where before it was limited to just a few ports. You'll probably do well to come up with your own list of top 50 ports for whatever network you are scanning. Of course, 21,22,135,139,80,443,445,1025,3389,5000,... are always going to be a part of the list but at UCSD for example, 8192-8194 are very popular here. Here is one quick-n-dirty way to get port counts: $ egrep -o '[[:digit:]]+\/open\/tcp' openx11.gnmap | sort | uniq -c | sort -nr 443 6000/open/tcp 104 6001/open/tcp 92 6002/open/tcp 56 6004/open/tcp 10 6005/open/tcp 9 6003/open/tcp 7 6006/open/tcp 4 6007/open/tcp 2 6009/open/tcp 2 6008/open/tcp You can tweak the regex to handle other formats (including XML and Normal) if needed. If you do end up getting a decent top port list, I'm sure there are others on the list who would be interested. Here is our top 50 list: $ egrep -o '[[:digit:]]+\/open\/tcp' ../all.gnmap | sort | uniq -c | sort -nr | head -n 50 5349 139/open/tcp 5160 445/open/tcp 4882 22/open/tcp 3164 3389/open/tcp 2937 80/open/tcp 2466 135/open/tcp 2119 2701/open/tcp 2114 2702/open/tcp 1771 23/open/tcp 1405 443/open/tcp 1252 5900/open/tcp 1133 8193/open/tcp 1132 8192/open/tcp 1130 8194/open/tcp 1083 548/open/tcp 983 497/open/tcp 963 111/open/tcp 924 21/open/tcp 797 25/open/tcp 739 515/open/tcp 671 427/open/tcp 510 631/open/tcp 486 1025/open/tcp 434 2049/open/tcp 391 9100/open/tcp 377 1761/open/tcp 356 10000/open/tcp 311 6000/open/tcp 296 3306/open/tcp 257 3689/open/tcp 248 79/open/tcp 231 88/open/tcp 218 280/open/tcp 212 8080/open/tcp 205 2967/open/tcp 202 8000/open/tcp 199 514/open/tcp 184 49156/open/tcp 184 32768/open/tcp 182 143/open/tcp 177 993/open/tcp 175 389/open/tcp 172 49155/open/tcp 171 49154/open/tcp 171 49153/open/tcp 171 49152/open/tcp 170 110/open/tcp 170 1053/open/tcp 167 20828/open/tcp 162 625/open/tcp Brandon - -- Brandon Enright Network Security Analyst UCSD ACT/Network Security bmenrigh () ucsd edu On Tue, 19 Feb 2008 16:43:02 -0600 Nelson <komseh () gmail com> wrote:
I would like to be able to tell nmap to do host discovery with -PS and send the TCP Syn Pings to the top X most common ports. Something similar to: nmap -sP -PS --top50 xxx.xx.xxx.0/24 Does anyone else think this is useful, or is there a current way to do this? Thanks
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHu3zRqaGPzAsl94IRAmy7AJwLI6kuX0XR9RXZ72Z/OtP7PurW2gCgidhx gCSgLqxiiI0lggb1YH3IbgU= =8KgJ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Feature Request: --top-ports option for -PS when performing host discovery Nelson (Feb 19)
- Re: Feature Request: --top-ports option for -PS when performing host discovery Brandon Enright (Feb 19)