NSE without ping or port scanning: interface ideas

[David Fifield <david () bamsoftware com>]

Hi,

NSE can run host scripts without port scanning, only ping scanning, when
you combine -sC with -sP. But sometimes you want to run scripts without
even ping scanning. I had to do this while doing whois lookups to select
hosts for the ping probe effectiveness tests; obviously I couldn't limit
the host selection to hosts that the default host discovery found to be up.

Script scanning without ping or port scanning isn't hard to implement,
but we've been stumbling over the user interface. These are some ideas.

nmap -sC -sP -PN
This is what I used in my tests. A problem is the seemingly
contradictory options -sP -PN. You have to think of -sP not as "ping
scan" but as "don't port scan."

nmap -sC -sL
This one is nice because -sL already means "no ping or port scan."
However it means that -sL is no longer a guaranteed "safe" scan that
doesn't contact the targets.

nmap -sC -PN -s0
-s0 is a made-up option that means "don't port scan," analogous to -PN.
-sN would be a better match but that is already NULL scan.

None of these choices is compelling so I'm open to other ideas.

Another idea I'd like to solicit comments on is to allow -p to be used
with -sP -sC. The port list would be a list of ports that are assumed to
be open on each host, without doing a port scan. This would allow
running port scripts, not just host scripts, with -sP. Assuming the
ports to be open would work much the same way as -PN assumes hosts to be up.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org