Nmap questions for the experts

["mark mark" <haxorplanet () gmail com>]

Hi,

I have some questions regarding nmap. I'm not sure if this is the
proper list, i just searched google and found some people asking
nmap-related questions here. Anyway, here are my questions:


1. Is there any way I can specify two different source port for nmap's
-g when doing a TCP and UDP scan at the same time? Usually, I specify
-g 53. However, I think it would be more effective if I will use port
20 (ftp) as my TCP source port, and just use port 50(DNS) as my UDP
source port. I tried specifying both but only the latter port was used
by nmap.

2. Do you really use nmap before running nessus? I just read the
methodology in our report template and read that the reason why nmap
is being used before nessus is because it lessens the amount of work
done by nessus in doing port scanning. Only open ports will be fed to
nessus for vulnerability assessment. However when doing security
assessment, I noticed that most of pentesters rely heavily on nessus
and just completely forget about nmap since nessus can also do port
scanning and os fingerprinting as well.

3. Is there any way I can specify a file which contains a list of
ports that I want to exclude from my scan? I've read the nmap manual
and learned that by default it scans for upto 1024 + all those higher
numbered ports listed in nmap-services. After running a scan, I wanted
to scan all the ports up to 65535 but I don't want to include all
those ports that have already been scanned by nmap.

Here is the nmap command I use all the time during a pentest project:

 nmap -PE -PM -PO -PS -PA -PP -PU -n -sS -sU -g 53 -sV --version-all
-O -T4  --open --log-errors --reason -iL targets.txt -oN syn.txt

4. Do you also use host discovery that heavily using all combinations
of techniques or you just don't do host discovery at all (-PN)?
I notice that most of my collegues ignore host discovery totally,
while I prefer doing it extensively (all techniques), so that I can
decrease the port scan time yet with a reliable result (not missing a
host protected by firewall).

5. Sometimes I encounter error saying "Negative Time Delta...
QUITTING" and tried searching google but couldn't find anything
useful. Any idea what's the cause of it? After getting that error i
just simply run the scan again and it would start working fine again.

6. Anyone experiencing this error "nselib not a directory" when
running the script scan?



That's all for now..
thanks for your replies.

-mark