Re: [RFC] --exclude-ports option for Nmap

[Fyodor <fyodor () nmap org>]

On Tue, Jun 3, 2014 at 3:12 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:

> Hi All!
>
> The --exclude-ports option would be a major boon to many Nmap users and
> it has been in demand for quite a while now. However, there are some
> things that need to be thought about before we add it in.
>
> 1. How does it interact with -p? More specifically, what does "-p 80
> --exclude-ports 80" do (since user specifically included it as well as
> excluded it)?

I think exclude ports should definitely overrule.  I think the main thing
people will use this for is to remove a port from the default set, or from
-p-, etc.

"-p 80 --exclude-ports 80" is a special case because there are no ports
left to scan.  So that might warrant an error suggesting that they use -sn
if they don't want to port scan.

        I think that we should follow a "exclude has higher priority than
> include" ideology and NOT scan 80 in this case. However, we could show a
> warning to a user if he has included a port individually and then
> excluded it (i.e. not using ranges). The warning thing could be added
> later on, as a follow up.

I'm not sure I'd even show a warning, as excluding ports which would
otherwise be scanned is a main purpose of this option.  I also wouldn't
give a warning if people try to exclude a port which wasn't going to be
scanned, as they might just  be doing that for safety/paranoia/policy
reasons.


> 2. How does it interact with --top-ports? More specifically, how many
> ports does "--top-ports 2 --exclude-ports 80" scan? 1 or 2?
>         I think that it should scan 2 ports excluding port 80 (i.e. it
> should
> scan ports 23 and 443). This seems to be the logical way that anyone
> would read the command too.

Yes, that sounds like the way to go.  As you go through the top port lists,
you'd call the function to check if the port is excluded first.

3. How should the arguments for it be taken? Similar to -p, or only
> individual ports should be taken?
>         I think that we should allow for ranges of ports to also be
> specified, very similar to the way we take input for -p (kind of like
> "--exclude-ports 80-90,666"). This would make it very easy for users to
> use this option.

Yeah, taking options in the same format as -p sounds reasonable, assuming
you can do it efficiently.

There is also the question of how this relates to NSE.  One option is to
just use --exclude-ports to pare down the scanned port list at the
beginning of runtime, and not even need to keep the information around
after that.  Alternatively, we could save the info and make a way for NSE
to query whether a port was specifically excluded.  It might be best to
start with the former and then expand to the latter only if we find a
pressing need for it.  Most NSE scripts aren't touching unscanned ports
anyway.

4. Should there be a one-letter flag for it? If so, what should it be?
>         I don't think that it needs a one-letter flag but this depends on
> how
> much it will be used.

I agree that it does not warrant a one-letter flag.

Cheers,
Fyodor
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/