Re: Feature Request: --top-ports option for -PS when performing host discovery

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not yet.  This is something Doug has wanted for a long time.

The list of "top" 50 ports is open for quite a bit of debate and
varies quite a bit from institution to institution.  The way I
accomplish this sort of host discovery is to run two scans:

nmap -P0 -T5 -p 7,9,13,17,21,22,.... -oG discov <targets>

Then, I grep for 'open' in the log:

egrep 'Host.*open' discov.gnmap | awk '{print $2}' | sort | uniq >
list.txt

Then I use the list as input into another Nmap scan:

nmap -iL list.txt ...

Now that Nmap has gotten the mass-ping-migration this can be combined
into one long list on -PS where before it was limited to just a few
ports.

You'll probably do well to come up with your own list of top 50 ports
for whatever network you are scanning.  Of course,
21,22,135,139,80,443,445,1025,3389,5000,... are always going to be a
part of the list but at UCSD for example, 8192-8194 are very popular
here.

Here is one quick-n-dirty way to get port counts:

$ egrep -o '[[:digit:]]+\/open\/tcp' openx11.gnmap  | sort | uniq -c | sort -nr
    443 6000/open/tcp
    104 6001/open/tcp
     92 6002/open/tcp
     56 6004/open/tcp
     10 6005/open/tcp
      9 6003/open/tcp
      7 6006/open/tcp
      4 6007/open/tcp
      2 6009/open/tcp
      2 6008/open/tcp


You can tweak the regex to handle other formats (including XML and
Normal) if needed.

If you do end up getting a decent top port list, I'm sure there are
others on the list who would be interested.

Here is our top 50 list:
$ egrep -o '[[:digit:]]+\/open\/tcp' ../all.gnmap  | sort | uniq -c | sort -nr | head -n 50
   5349 139/open/tcp
   5160 445/open/tcp
   4882 22/open/tcp
   3164 3389/open/tcp
   2937 80/open/tcp
   2466 135/open/tcp
   2119 2701/open/tcp
   2114 2702/open/tcp
   1771 23/open/tcp
   1405 443/open/tcp
   1252 5900/open/tcp
   1133 8193/open/tcp
   1132 8192/open/tcp
   1130 8194/open/tcp
   1083 548/open/tcp
    983 497/open/tcp
    963 111/open/tcp
    924 21/open/tcp
    797 25/open/tcp
    739 515/open/tcp
    671 427/open/tcp
    510 631/open/tcp
    486 1025/open/tcp
    434 2049/open/tcp
    391 9100/open/tcp
    377 1761/open/tcp
    356 10000/open/tcp
    311 6000/open/tcp
    296 3306/open/tcp
    257 3689/open/tcp
    248 79/open/tcp
    231 88/open/tcp
    218 280/open/tcp
    212 8080/open/tcp
    205 2967/open/tcp
    202 8000/open/tcp
    199 514/open/tcp
    184 49156/open/tcp
    184 32768/open/tcp
    182 143/open/tcp
    177 993/open/tcp
    175 389/open/tcp
    172 49155/open/tcp
    171 49154/open/tcp
    171 49153/open/tcp
    171 49152/open/tcp
    170 110/open/tcp
    170 1053/open/tcp
    167 20828/open/tcp
    162 625/open/tcp

Brandon


- -- 
Brandon Enright
Network Security Analyst
UCSD ACT/Network Security
bmenrigh () ucsd edu


On Tue, 19 Feb 2008 16:43:02 -0600
Nelson <komseh () gmail com> wrote:

> I would like to be able to tell nmap to do host discovery with -PS
> and send the TCP Syn Pings to the top X most common ports.
>
> Something similar to: nmap -sP -PS --top50 xxx.xx.xxx.0/24
>
> Does anyone else think this is useful, or is there a current way to
> do this?
>
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHu3zRqaGPzAsl94IRAmy7AJwLI6kuX0XR9RXZ72Z/OtP7PurW2gCgidhx
gCSgLqxiiI0lggb1YH3IbgU=
=8KgJ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org