Nmap Development mailing list archives
Re: [Branch] --ignore-after
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 17 Sep 2014 10:05:06 -0500
On Mon, Aug 18, 2014 at 7:30 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
On Sunday 17 August 2014 11:41 AM, Fyodor wrote:Here it is only 3 days later and I'm already second guessing myself :). I'm starting to think that "50%,80" would be better for -T4. That way, for -F, we'd only ignore if at least 80 ports were open. And for a default (1,000 port) scan, we'd only skip if 500 or more were open. I think 500 open ports out of 1,000 is not a normal system and doing version detection and NSE against all those will likely waste a lot of time. For -T5, maybe a "40%,60" threshold would be good. Right now, in the nmap-exp branch, -T4 gives "90%,90" and -T5 gives "80%,80". This means, even with -T5, an all-ports scan ("-p-") would require 52,428 open ports before bailing. With "40%,60", we could quit sooner--after 26,214 open ports found. And for a default (ports) scan, we could move on after 400 open instead of waiting for 800. Cheers, FyodorI've been confused about the constants ever since I initially put them in. Over time, I've been wanting to keep reducing the constants. I think that the only way we are going to be able to decide on good values is if we can decide upon what is the "normal" number of open ports and what is not. For the min open ports (the num part of "per%,num"), I think that 80 for -T4 and 60 for -T5 makes sense. However, I'd suggest dropping the percentage part even further. For a default scan (1000 port), more than 100 open ports is not "normal" IMHO. When we go into all-ports scan, waiting even until 26,214 too seems unneeded. I've yet to come across a "normal" system with more than 50 open ports. However, people who've been using Nmap for longer than I have might be able to give a better insight into this. Currently, I propose -T4 = "10%,80", -T5 = "5%,60" This would work this way Number of ports scanned Number of ports after which to ignore (for -T4) Number of ports after which to ignore (for -T5) Fast scan "-F" 100 80 60 Default Scan 1000 100 60 All port scan "-p-" 65,535 6,554 3,277 What do you all think? Cheers, Jay
I'm just now realizing that an idea I had early on got dropped. I think it might solve a bit of this problem, so I'll elaborate again: First, consider the problem of the -p- scan (or any other large scan). With a default -T5 of 10%,60 (numbers don't matter at this point, but this is a likely starting place), your algorithm would need to scan 6554 open ports before it decided to bail on the scan. That's a lot of wasted effort, and that's why you are suggesting lower and lower percentage values (we started with 80% and 90%, if you remember). Instead, I propose that the percentage calculation be done over the *number of ports scanned so far* as opposed to the *total number of ports intended to be scanned*. This would probably require an extra variable to be kept around for each host, but that's negligible. This would allow a default like 90%,90 to scan at minimum 90 ports regardless of scan size. What happens on a host that reports every port as open is this: as soon as the 90th port is found open, the percentage calculation is done. 90/90 ports are open, which is 100% > 90%, so the host is ignored. The purpose of setting a percentage less than 100% is to allow for some dropped packets at the higher timing levels. I believe this method would allow for earlier ignoring while still keeping with the spirit of detecting portspoof hosts. It also simplifies the discussion of defaults; no matter how many ports are scanned, the ignore decision gets made at the same point in the scan (immediately after the n+1 port is scanned). We would need to decide what it means when a user does --ignore-after 50 (I think this would be the same as 50,0%; that is, 50 open ports regardless of how many closed/filtered ports) or --ignore-after 70% (probably the same as 70%,.7*total_ports; this is equivalent to -F --ignore-after 70%,70 or -p- --ignore-after 70%,45875 for the default scan). Thoughts? Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Jacek Wielemborek (Jul 30)
- Re: [Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Fyodor (Aug 13)
- Re: [Branch] --ignore-after Fyodor (Aug 16)
- Re: [Branch] --ignore-after Jay Bosamiya (Aug 18)
- Re: [Branch] --ignore-after Daniel Miller (Sep 17)
- Re: [Branch] --ignore-after Jay Bosamiya (Sep 18)
- Re: [Branch] --ignore-after Daniel Miller (Sep 18)
- Re: [Branch] --ignore-after Fyodor (Aug 16)
- Re: [Branch] --ignore-after Jacek Wielemborek (Jul 30)