Nmap Development mailing list archives

Minor nmap feature request with great payback

From: Jon Kibler <Jon.Kibler () aset com>
Date: Sun, 08 Nov 2009 11:54:53 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

When scanning a network, it is often helpful to know the IP address and TTL that
responded to a probe. Currently, there are several ways to dump packet details,
but these do not exactly produce "clean" output.

What I would like to see is a new option, "--reason-details" that gives not only
the reason for determining that a port was open/closed/filtered/etc., but also
gives the IP and TTL of the packet that sent the response. For example, consider
the following scan:

- -------------------
# nmap -sS -p1-1023 -PN x.y.239.66 --reason -n

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-08 16:04 GMT
Interesting ports on x.y.239.66:
Not shown: 1020 filtered ports
Reason: 1006 no-responses and 14 admin-prohibiteds
PORT    STATE  SERVICE    REASON
22/tcp  open   ssh        syn-ack
113/tcp closed auth       reset
587/tcp open   submission syn-ack

Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds
- -------------------

What I would really like to have seen would have been as follows:

- -------------------
# nmap -sS -p1-1023 -PN x.y.239.66 --reason-details -n

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-08 16:04 GMT
Interesting ports on x.y.239.66:
Not shown: 1006 filtered ports
Reason: 1006 no-responses
PORT      STATE      SERVICE    REASON
22/tcp    open       ssh        syn-ack from x.y.239.66 with TTL 61
72/tcp    filtered   netrjs-2   admin-prohibited from x.y.238.10 with TTL 253
113/tcp   closed     auth       reset  from x.y.239.66 with TTL 61
118/tcp   filtered   sqlserv    admin-prohibited from x.y.238.10 with TTL 253
130/tcp   filtered   cisco-fna  admin-prohibited from x.y.238.10 with TTL 253
443/tcp   filtered   https      admin-prohibited from x.y.238.10 with TTL 253
467/tcp   filtered   mylex-mapd admin-prohibited from x.y.238.10 with TTL 253
513/tcp   filtered   login      admin-prohibited from x.y.238.10 with TTL 253
587/tcp   open       submission syn-ack from x.y.239.66 with TTL 61
668/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
684/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
755/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
758/tcp   filtered   nlogin     admin-prohibited from x.y.238.10 with TTL 253
834/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
960/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
976/tcp   filtered   unknown    admin-prohibited from x.y.238.10 with TTL 253
995/tcp   filtered   pops       admin-prohibited from x.y.238.10 with TTL 253

Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds
- -------------------

The additional information allows you to make educated guesses at where
firewalls and load balancers are in the network, and the type of device that is
associated with an open port. This would be good information to have and I would
not think that the coding effort required to provide it would be that substantial.

Also, as shown above, it would be VERY nice to know which 14 of the filtered
ports returned admin-prohibited, detailing them just like the open/closed ports.
Again, I would not think that it would be that difficult to add this capability.


I hope this request is not unreasonable and can find its way into an upcoming
version of nmap. The amount of additional, extremely useful, information
returned by making these two changes would be of enormous benefit.

Sincerely,

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr2990ACgkQUVxQRc85QlPaqgCfYb1pNW+ZdXipipyj/xLMjVMR
yzUAn3W5UzGF2T5GVHXtvSPtcEV9Jjwb
=kh6Y
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Minor nmap feature request with great payback Jon Kibler (Nov 08)
- Re: Minor nmap feature request with great payback Rob Nicholls (Nov 08)
  - Re: Minor nmap feature request with great payback Jon Kibler (Nov 08)
- Re: Minor nmap feature request with great payback David Fifield (Nov 08)
  - Re: Minor nmap feature request with great payback David Fifield (Nov 16)