Re: Feature Request: --top-ports option for -PS when performing host discovery

[doug () hcsw org]

Hi Nelson,

> Nelson <komseh () gmail com> wrote:
> > I would like to be able to tell nmap to do host discovery with -PS
> > and send the TCP Syn Pings to the top X most common ports.

Interesting, I hadn't thought about using top ports data to choose
the ports used with host discovery. Like Brandon says, the most
straightforward way would be just to use a regular SYN scan and -P0,
supplying your top ports data with the -p switch (host discovery
and -sS even use the same engine in recent Nmap: ultra_scan).

Of course, this assumes that you *have* top ports data that you trust.
The backend code to implement such top ports functionality actually
already exists in Nmap. The only thing holding back the feature is a
good data-set.

If the Nmap community agrees on a data-set, I would be happy to make the
top ports feature work. I ran some -iR -p1-65535 scans a year or two ago
but was never confident enough recommend that the resultsbe the official
Nmap data.

Unlike my crappy results, Brandon's data looks very promising! Was this
data collected from full port scans of a large heterogenous network without
significant firewall interference? If so, and of course if Brandon agrees,
I could massage the data into a format that would allow you to run the
following scan:

nmap -P0 -sS --top-ports 50 target

Another option is to create a community submission interface for such
data similar to how we currently collect OS/service fingerprints. This
was suggested recently by Lionel Cons:

http://seclists.org/nmap-dev/2008/q1/0162.html

I actually have some perl code that will take Nmap -oG scans and
strip all information except for port lists, as well as a C program
that will compress lists of port numbers into a compact ASCII encoding
suitable for pasting into web text fields:

http://hcsw.org/downloads/portcompress.c

A potential problem with any top ports data, especially considering the
rapid, unpredictable pace of internet development, is that data might
become inaccurate over time. This could happen when a new service becomes
popular or when an older one becomes obsolete (think telnet -- though
Brandon's data suggests telnet is still more common than, say, VNC.)

Anyways, I'm very open to ideas on how tackle this important problem.

Best,

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org