Nmap Development mailing list archives
Re: Zenmap profiles
From: David Fifield <david () bamsoftware com>
Date: Thu, 28 Aug 2008 14:14:56 -0600
On Mon, Aug 25, 2008 at 08:34:01PM -0700, Fyodor wrote:
[Intense Scan] nmap -A -T Aggressive -v <target>This is a good default. I agree that -T4 is probably better than "-T Aggressive". I'd add more discovery options. How about: "-PE -PS22,25,80 -PA21,23,80,3389"? The only issue I see is that it would be problematic for nonroot users. Is there an easy way to omit the options for them?
There isn't an easy way to leave them out currently, though that's a good idea. Nmap is smart enough to replace SYN or ACK pings with connect pings if only one of -PS and -PA are given, so I kept in the -PA.
[Quick Scan] nmap -T Aggressive -n -v <target>I would add -F, remove -n (DNS resolution is faster now than it used to be) and remove -v (-F is fast enough that seeing the ports as they are found isn't so important, and just clutters the output). I'd put this one relatively high on the list, maybe #2.
You're right that this should be number 2. However the profile loader would have to be rewritten to support that. The ConfigParser module Zenmap uses to read scan_profiles.usp doesn't provide for recovering the order of entries in a file. It turns out "Intense scan" has been the default all this time simply because it comes first alphabetically. Removing the sorting wouldn't help, because then the profiles come up in a random order.
[Intense Scan + UDP] Same as Intense, plus add -sU [Intense Scan All TCP Ports] Same as Intense, plus -p- [Intense Scan, Skip Ping] Same as Intense, plus -PN [Comprehensive Scan (Slow)] Intense scan, plus -sU and -p- and even more host discovery options, such as "-PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO", and possibly even --script=all
I added all these, except I used the name "Slow comprehensive scan" to work around the profile ordering problem I mentioned. I would like to add a "Quick traceroute" profile, which would be nmap -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute <target> That would be a great way to show off the topology without having to do a full port scan. You could traceroute dozens of hosts in a reasonable time. However, when the traceroute code is picking its probe, it doesn't necessarily choose the ping probe that got a positive response, it just picks the first one listed. So if I get a response to the -PS80 probe, I commonly get (after a long wait) TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS ! maximum TTL reached (50) This should be fixed, maybe by using the pingprobe member of Target that caches the timing ping probe. It always corresponds to a port with a positive response, and automatically elevates itself to a better probe when possible (for example it will replace SYN to an open port with an ACK). In the meantime I made the quick traceroute use only SYN probes: nmap -p22,23,25,80,3389 --traceroute -PN <target> David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Zenmap profiles David Fifield (Aug 24)
- Re: Zenmap profiles Michael Pattrick (Aug 24)
- Re: Zenmap profiles Kris Katterjohn (Aug 24)
- Re: Zenmap profiles David Fifield (Aug 24)
- Re: Zenmap profiles eldraco (Aug 25)
- Re: Zenmap profiles Fyodor (Aug 25)
- Re: Zenmap profiles David Fifield (Aug 28)
- Re: Zenmap profiles Fyodor (Aug 28)
- Re: Zenmap profiles Vladimir Mitrovic (Aug 29)
- Re: Zenmap profiles David Fifield (Aug 29)
- Re: Zenmap profiles David Fifield (Aug 28)
- Re: Zenmap profiles Michael Pattrick (Aug 24)
- Re: Zenmap profiles David Fifield (Aug 28)