Re: Zenmap profiles

[David Fifield <david () bamsoftware com>]

On Mon, Aug 25, 2008 at 08:34:01PM -0700, Fyodor wrote:
> >     [Intense Scan]
> >     nmap -A -T Aggressive -v <target>
>
> This is a good default.  I agree that -T4 is probably better than "-T
> Aggressive".  I'd add more discovery options.  How about: "-PE
> -PS22,25,80 -PA21,23,80,3389"?  The only issue I see is that it would
> be problematic for nonroot users.  Is there an easy way to omit the
> options for them?

There isn't an easy way to leave them out currently, though that's a
good idea. Nmap is smart enough to replace SYN or ACK pings with connect
pings if only one of -PS and -PA are given, so I kept in the -PA.

> >     [Quick Scan]
> >     nmap -T Aggressive -n -v <target>
>
> I would add -F, remove -n (DNS resolution is faster now than it used
> to be) and remove -v (-F is fast enough that seeing the ports as they
> are found isn't so important, and just clutters the output).  I'd put
> this one relatively high on the list, maybe #2.

You're right that this should be number 2. However the profile loader
would have to be rewritten to support that. The ConfigParser module
Zenmap uses to read scan_profiles.usp doesn't provide for recovering the
order of entries in a file. It turns out "Intense scan" has been the
default all this time simply because it comes first alphabetically.
Removing the sorting wouldn't help, because then the profiles come up in
a random order.

> [Intense Scan + UDP]
> Same as Intense, plus add -sU
>
> [Intense Scan All TCP Ports]
> Same as Intense, plus -p-
>
> [Intense Scan, Skip Ping]
> Same as Intense, plus -PN
>
> [Comprehensive Scan (Slow)]
> Intense scan, plus -sU and -p- and even more host discovery options,
> such as "-PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO",
> and possibly even --script=all

I added all these, except I used the name "Slow comprehensive scan" to
work around the profile ordering problem I mentioned.

I would like to add a "Quick traceroute" profile, which would be

        nmap -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute <target>

That would be a great way to show off the topology without having to do
a full port scan. You could traceroute dozens of hosts in a reasonable
time. However, when the traceroute code is picking its probe, it doesn't
necessarily choose the ping probe that got a positive response, it just
picks the first one listed. So if I get a response to the -PS80 probe, I
commonly get (after a long wait)

        TRACEROUTE (using port 22/tcp)
        HOP RTT ADDRESS
        ! maximum TTL reached (50)

This should be fixed, maybe by using the pingprobe member of Target that
caches the timing ping probe. It always corresponds to a port with a
positive response, and automatically elevates itself to a better probe
when possible (for example it will replace SYN to an open port with an
ACK). In the meantime I made the quick traceroute use only SYN probes:

        nmap -p22,23,25,80,3389 --traceroute -PN <target>

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org