Re: NSE without ping or port scanning: interface ideas

[jah <jah () zadkiel plus com>]

On 10/07/2009 20:40, David Fifield wrote:
> nmap -sC -sP -PN
> This is what I used in my tests. A problem is the seemingly
> contradictory options -sP -PN. You have to think of -sP not as "ping
> scan" but as "don't port scan."
>   
I remember trying this method for this very reason - it seemed perfectly
logical to me - "do a ping scan without any ping probes".
> nmap -sC -sL
> This one is nice because -sL already means "no ping or port scan."
> However it means that -sL is no longer a guaranteed "safe" scan that
> doesn't contact the targets.
>
> nmap -sC -PN -s0
> -s0 is a made-up option that means "don't port scan," analogous to -PN.
> -sN would be a better match but that is already NULL scan.
>
> None of these choices is compelling so I'm open to other ideas.
>   
Perhaps a good idea, as Tom said, would be to have a "script scan
exclusively" option which would at least make it less confusing for
users, less difficult to implement - and easier to document.
> Another idea I'd like to solicit comments on is to allow -p to be used
> with -sP -sC. The port list would be a list of ports that are assumed to
> be open on each host, without doing a port scan. This would allow
> running port scripts, not just host scripts, with -sP. Assuming the
> ports to be open would work much the same way as -PN assumes hosts to be up.
>   
I like this idea.  I'd also like for scripts called by name to have
their host/portrules automatically return true - I can imagine this
might be a bit troublesome unless there was an option for "script scan
exclusively", but if there were such an option it should be easy to
override the return from a rule.

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org