Nmap Development mailing list archives
note to fyodor-ideas
From: mike <dmciscobgp () hotmail com>
Date: Sat, 2 Aug 2008 18:49:03 +0000
i wrote this off to fyodor and he responded and told me to post it here: hello sir. mind if i offer you a few suggestions for your lovely little nmap tool? i have mentioned some in the past but you either blew me off or scrapped them. maybe you'll laugh at these too, who knows when you are scanning with nmap, in my opinion it is an absolute that you run it next to a packet sniffer or turn on packet_trace, otherwise you are scanning blind. that being said, we know many newbies won't get that concept. something i have noticed is when you are scanning a target and you feed it data through the use of "data-length" bytes, even if you get whatever jibberish for a response, nmap will not tell you it saw a thing after the scan output. this needs to be changed, i think. you should have a way, as you are scanning, to open up all sockets to see what you get back, if anything. the only way i know nmap says it saw anything after a scan is only by using a specific request of a service scan. here is output for proof of what i am babbling about: windows box scanning another, NTP service*this is AFTER A SERVICE SCAN WITH CORRECT DATA SENT TO RECEIVE RESPONSE:123/udp open ntp udp-response Microsoft NTP *this is what nmap sees after random bytes of 8 sent:123/udp open|filtered NTP no-response and here is the proof said machine spoke back to me with data> 192.168.1.5.52619 > 192.168.1.100.123: NTPv6, length 8 unspecified, Leap indicator: -1s (128), Stratum 72, poll 74s, precision[|ntp] my ip in this case is .100 so that is not me saying that, it's the target. do you now see why this idea would be valuable? i understand it is not a proper response back BUT with that output i AT LEAST know there is something sitting on that socket when nmap tells me there isn't the last thing i wanted to mention. alot of services will only respond if you talk to them direct by using the same source port as the destination, like RIP does. why not have a way to automatically set these services to their corresponding source/dest values in the scripts/service scans (or even during a regular scan? i think it would be better to ALWAYS use the same source/dest port for any service in question because there is a greater chance of reply/output back. agreed? ok, you heard my ideas, toss them if you wish or at least acknolwedge them and tell me what you think, good or bad. i admit i am not a coder and this is a mere hobby of mine i have been at for over 5 years and love it. been using nmap since it's infancy as well. i would love to have people be able to offer input and see a bit of recognition even if it is just in offering up great ideas that get put into use thank you for your timeMike _________________________________________________________________ Get Windows Live and get whatever you need, wherever you are. Start here. http://www.windowslive.com/default.html?ocid=TXT_TAGLM_WL_Home_082008 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- note to fyodor-ideas mike (Aug 02)