note to fyodor-ideas

[mike <dmciscobgp () hotmail com>]

i wrote this off to fyodor and he responded and told me to post it here:
 
 
 
hello sir. mind if i offer you a few suggestions for your lovely little nmap tool? i have mentioned some in the past 
but you either blew me off or scrapped them. maybe you'll laugh at these too, who knows when you are scanning with 
nmap, in my opinion it is an absolute that you run it next to a packet sniffer or turn on packet_trace, otherwise you 
are scanning blind. that being said, we know many newbies won't get that concept. something i have noticed is when you 
are scanning a target and you feed it data through the use of "data-length" bytes, even if you get whatever jibberish 
for a response, nmap will not tell you it saw a thing after the scan output. this needs to be changed, i think. you 
should have a way, as you are scanning, to open up all sockets to see what you get back, if anything. the only way i 
know nmap says it saw anything after a scan is only by using a specific request of a service scan. here is output for 
proof of what i am babbling about: windows box scanning another,  NTP service*this is AFTER A SERVICE SCAN WITH CORRECT 
DATA SENT TO RECEIVE RESPONSE:123/udp open   ntp     udp-response Microsoft NTP  *this is what nmap sees after random 
bytes of 8 sent:123/udp open|filtered NTP     no-response and here is the proof said machine spoke back to me with 
data>  192.168.1.5.52619 > 192.168.1.100.123: NTPv6, length 8    unspecified, Leap indicator: -1s (128), Stratum 72, 
poll 74s, precision[|ntp] my ip in this case is .100 so that is not me saying that, it's the target. do you now see why 
this idea would be valuable? i understand it is not a proper response back BUT with that output i AT LEAST know there 
is something sitting on that socket when nmap tells me there isn't  the last thing i wanted to mention. alot of 
services will only respond if you talk to them direct by using the same source port as the destination, like RIP does. 
why not have a way to automatically set these services to their corresponding source/dest values in the scripts/service 
scans  (or even during a regular scan? i think it would be better to ALWAYS use the same source/dest port for any 
service in question because there is a greater chance of reply/output back. agreed?  ok, you heard my ideas, toss them 
if you wish or at least acknolwedge them and tell me what you think, good or bad. i admit i am not a coder and this is 
a mere hobby of mine i have been at for over 5 years and love it. been using nmap since it's infancy as well. i would 
love to have people be able to offer input and see a bit of recognition even if it is just in offering up great ideas 
that get put into use thank you for your timeMike 
_________________________________________________________________
Get Windows Live and get whatever you need, wherever you are.  Start here.
http://www.windowslive.com/default.html?ocid=TXT_TAGLM_WL_Home_082008

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org