Nmap Development mailing list archives
Re: [RFC] --exclude-ports option for Nmap
From: Fyodor <fyodor () nmap org>
Date: Tue, 10 Jun 2014 20:35:23 -0700
On Tue, Jun 3, 2014 at 3:12 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
Hi All! The --exclude-ports option would be a major boon to many Nmap users and it has been in demand for quite a while now. However, there are some things that need to be thought about before we add it in. 1. How does it interact with -p? More specifically, what does "-p 80 --exclude-ports 80" do (since user specifically included it as well as excluded it)?
I think exclude ports should definitely overrule. I think the main thing people will use this for is to remove a port from the default set, or from -p-, etc. "-p 80 --exclude-ports 80" is a special case because there are no ports left to scan. So that might warrant an error suggesting that they use -sn if they don't want to port scan. I think that we should follow a "exclude has higher priority than
include" ideology and NOT scan 80 in this case. However, we could show a warning to a user if he has included a port individually and then excluded it (i.e. not using ranges). The warning thing could be added later on, as a follow up.
I'm not sure I'd even show a warning, as excluding ports which would otherwise be scanned is a main purpose of this option. I also wouldn't give a warning if people try to exclude a port which wasn't going to be scanned, as they might just be doing that for safety/paranoia/policy reasons.
2. How does it interact with --top-ports? More specifically, how many ports does "--top-ports 2 --exclude-ports 80" scan? 1 or 2? I think that it should scan 2 ports excluding port 80 (i.e. it should scan ports 23 and 443). This seems to be the logical way that anyone would read the command too.
Yes, that sounds like the way to go. As you go through the top port lists, you'd call the function to check if the port is excluded first. 3. How should the arguments for it be taken? Similar to -p, or only
individual ports should be taken? I think that we should allow for ranges of ports to also be specified, very similar to the way we take input for -p (kind of like "--exclude-ports 80-90,666"). This would make it very easy for users to use this option.
Yeah, taking options in the same format as -p sounds reasonable, assuming you can do it efficiently. There is also the question of how this relates to NSE. One option is to just use --exclude-ports to pare down the scanned port list at the beginning of runtime, and not even need to keep the information around after that. Alternatively, we could save the info and make a way for NSE to query whether a port was specifically excluded. It might be best to start with the former and then expand to the latter only if we find a pressing need for it. Most NSE scripts aren't touching unscanned ports anyway. 4. Should there be a one-letter flag for it? If so, what should it be?
I don't think that it needs a one-letter flag but this depends on how much it will be used.
I agree that it does not warrant a one-letter flag. Cheers, Fyodor _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] --exclude-ports option for Nmap Jay Bosamiya (Jun 03)
- Re: [RFC] --exclude-ports option for Nmap Jacek Wielemborek (Jun 05)
- Re: [RFC] --exclude-ports option for Nmap John (Jun 06)
- Re: [RFC] --exclude-ports option for Nmap Jay Bosamiya (Jun 06)
- Re: [RFC] --exclude-ports option for Nmap John (Jun 06)
- Re: [RFC] --exclude-ports option for Nmap Daniel Miller (Jun 10)
- Re: [RFC] --exclude-ports option for Nmap Fyodor (Jun 10)
- Re: [RFC] --exclude-ports option for Nmap Jay Bosamiya (Jun 11)
- Re: [RFC] --exclude-ports option for Nmap Daniel Miller (Jun 11)
- Re: [RFC] --exclude-ports option for Nmap Jay Bosamiya (Jun 11)
- Re: [RFC] --exclude-ports option for Nmap Jacek Wielemborek (Jun 05)