Nmap Development mailing list archives

Re: Fwd: SOC idea

From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 10 Jan 2014 09:22:30 -0600

On 01/10/2014 06:48 AM, Jason Gerfen wrote:

1. Your Github readme suggests that you might be using Nmap 5.51. If this is
>the case, do upgrade to the latest version before benchmarking your code,
>otherwise you might be wasting time.

I am currently using and testing against 5.51, so green there.

The current version is 6.40, just to clarify. I am not really aware ofany significant changes in host discovery between these versions. Hereare the relevant entries in the changelog:


o Added a new --disable-arp-ping option. This option prevents Nmap
  from implicitly using ARP or ND host discovery for discovering
  directly connected Ethernet targets. This is useful in networks
  using proxy ARP, which make all addresses appear to be up using ARP
  scan. The previously recommended workaround for this situation,
  --send-ip, didn't work on Windows because that lame excuse for an
  operating system is still missing raw socket support.  [David
  Fifield (editorializing added by Fyodor)]

o Made source port numbers (used to encode probe metadata) increment
  so as not to overlap between different scanning phases. Previously
  it was possible for an RST response to an ACK probe from host
  discovery to be misinterpreted as a reply to a SYN probe from port
  scanning. [Sean Rivera, David Fifield]

o Targets requiring different source addresses now go into different
  hostgroups, not only for host discovery but also for port scanning.
  Before, only responses to one of the source addresses would be
  processed, and the others would be ignored. [David]

o Nmap has long supported IPv6 for basic (connect) port scans, basic
  host discovery, version detection, Nmap Scripting Engine.  This
  release dramatically expands and improves IPv6 support:
  + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
    etc.) are now supported. [David, Weilin]
  + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
    discovery packets, etc.) is now supported. [David, Weilin]
  + IPv6 traceroute is now supported [David]
  + The --exclude and --excludefile now support IPV6 addresses with
    netmasks.  [Colin]

>
>2. Consider using -oX instead of -oG. This way you will get an ouput format
>less likely to be changed in the future. As far as I know, -oG is meant for
>being read by a human, not parsed by a machine.

Am I wrong to assume -oG will allow the following?

$ nmap -sn -oG - 10.0.2.0/24 | awk 'up { print }'

Really due to the nature of the language, in this case node.js which
relies heavily upon Objects, and more specifically JSON formatted
objects a simple regex combined with a capture group of the results is
going to be faster than traversing XML elements.

-oG is "deprecated," which for our purposes means that the format isfixed and will not change. New features (NSE scripts, traceroute, etc)will not get their output added to -oG files. For host discovery, thisis probably sufficient for your purposes. Just realize that XML is morecomplete, if you plan on extending your interface to support morethorough scanning.


Looks cool!

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

SOC idea Jason Gerfen (Jan 09)
- Re: SOC idea Jacek Wielemborek (Jan 09)
  - Message not available
    - Fwd: SOC idea Jason Gerfen (Jan 10)
    - Re: Fwd: SOC idea Daniel Miller (Jan 10)
    - Re: Fwd: SOC idea Jason Gerfen (Jan 11)
    - Re: Fwd: SOC idea Jason Gerfen (Jan 26)
    - Re: Fwd: SOC idea Jason Gerfen (Jan 29)
- Re: SOC idea A. P. Garcia (Jan 10)