Nmap Development mailing list archives
Nmap port frequency features added!
From: Fyodor <fyodor () insecure org>
Date: Thu, 4 Sep 2008 19:53:35 -0700
Hi All. I'm happy to report that I just committed some Nmap features that I've wanted for years and talked about in depth at my recent Black Hat Briefings and Defcon presentations in Las Vegas (I hope to post a video of those talks soon). After scanning tens of millions of IPs on the Internet, I've expanded the nmap-services file to include information on how frequently each port is found to be open. This enables Nmap to be much smarter about which ports it scans. The first change from this is that Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). This is a decrease from 1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is faster by default and, since the port selection is better, often finds more of the open ports as well. The fast scan (-F) has also changed. Nmap -F now scans the top 100 ports by default in either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68, leading to an order of magnitude decrease in port scanning time. I'm particularly excited about the implications for UDP scans, which many people previously didn't do because it was slow and hard to disambiguate open from open|filtered ports. Now you can do "-sUV -F" to interrogate the top 100 ports and try to receive a protocol response proving that they are open. Here is an example from my Defcon presentation: nmap -sUV -F -T4 scanme.nmap.org => Took 1 hour and 2 minutes with Nmap 4.68 Now that Nmap knows the most common ports, I try again with the svn version: nmap -sUV -F -T4 scanme.nmap.org => Took 6 minutes, 29 seconds with the port frequency (svn) version That is a huge improvement, but it becomes even more dramatic when I add the "--version-intensity 0" flag so that Nmap only tries probes for protocols known to be found on the target port numbers: nmap -sUV -F --version-intensity 0 -T4 scanme.nmap.org => Took 13 seconds All three of these commands found the correct open port information. But by using the latest version of Nmap (with this port frequency feature) and knowing the ideal options, the scan time was reduced from an hour to just 13 seconds! I think the moral is to read the man page carefully (and the upcoming Nmap book!) to optimize your scan times. A related change is that the --top-ports option now lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports. Please try out the new features and let me know if you have any problems! This data was generated from my own scanning, and from some helpful folks who contributed port frequencies from scanning their organizations. Also, David helped a lot in the coding department. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap port frequency features added! Fyodor (Sep 04)
- Re: Nmap port frequency features added! Fyodor (Sep 04)