Nmap Development mailing list archives
Minor nmap feature request with great payback
From: Jon Kibler <Jon.Kibler () aset com>
Date: Sun, 08 Nov 2009 11:54:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When scanning a network, it is often helpful to know the IP address and TTL that responded to a probe. Currently, there are several ways to dump packet details, but these do not exactly produce "clean" output. What I would like to see is a new option, "--reason-details" that gives not only the reason for determining that a port was open/closed/filtered/etc., but also gives the IP and TTL of the packet that sent the response. For example, consider the following scan: - ------------------- # nmap -sS -p1-1023 -PN x.y.239.66 --reason -n Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-08 16:04 GMT Interesting ports on x.y.239.66: Not shown: 1020 filtered ports Reason: 1006 no-responses and 14 admin-prohibiteds PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 113/tcp closed auth reset 587/tcp open submission syn-ack Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds - ------------------- What I would really like to have seen would have been as follows: - ------------------- # nmap -sS -p1-1023 -PN x.y.239.66 --reason-details -n Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-08 16:04 GMT Interesting ports on x.y.239.66: Not shown: 1006 filtered ports Reason: 1006 no-responses PORT STATE SERVICE REASON 22/tcp open ssh syn-ack from x.y.239.66 with TTL 61 72/tcp filtered netrjs-2 admin-prohibited from x.y.238.10 with TTL 253 113/tcp closed auth reset from x.y.239.66 with TTL 61 118/tcp filtered sqlserv admin-prohibited from x.y.238.10 with TTL 253 130/tcp filtered cisco-fna admin-prohibited from x.y.238.10 with TTL 253 443/tcp filtered https admin-prohibited from x.y.238.10 with TTL 253 467/tcp filtered mylex-mapd admin-prohibited from x.y.238.10 with TTL 253 513/tcp filtered login admin-prohibited from x.y.238.10 with TTL 253 587/tcp open submission syn-ack from x.y.239.66 with TTL 61 668/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 684/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 755/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 758/tcp filtered nlogin admin-prohibited from x.y.238.10 with TTL 253 834/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 960/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 976/tcp filtered unknown admin-prohibited from x.y.238.10 with TTL 253 995/tcp filtered pops admin-prohibited from x.y.238.10 with TTL 253 Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds - ------------------- The additional information allows you to make educated guesses at where firewalls and load balancers are in the network, and the type of device that is associated with an open port. This would be good information to have and I would not think that the coding effort required to provide it would be that substantial. Also, as shown above, it would be VERY nice to know which 14 of the filtered ports returned admin-prohibited, detailing them just like the open/closed ports. Again, I would not think that it would be that difficult to add this capability. I hope this request is not unreasonable and can find its way into an upcoming version of nmap. The amount of additional, extremely useful, information returned by making these two changes would be of enormous benefit. Sincerely, Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler () aset com e: Jon.R.Kibler () gmail com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr2990ACgkQUVxQRc85QlPaqgCfYb1pNW+ZdXipipyj/xLMjVMR yzUAn3W5UzGF2T5GVHXtvSPtcEV9Jjwb =kh6Y -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Minor nmap feature request with great payback Jon Kibler (Nov 08)
- Re: Minor nmap feature request with great payback Rob Nicholls (Nov 08)
- Re: Minor nmap feature request with great payback Jon Kibler (Nov 08)
- Re: Minor nmap feature request with great payback David Fifield (Nov 08)
- Re: Minor nmap feature request with great payback David Fifield (Nov 16)
- Re: Minor nmap feature request with great payback Rob Nicholls (Nov 08)