Nmap Development mailing list archives
Re: Qscan in NSE: qscan.nse
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 21 Mar 2010 12:25:17 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/21/2010 06:26 AM, jah wrote:
On 18/03/2010 02:06, Kris Katterjohn wrote:Luckily I had some of free time this afternoon and got a script written up, attached as qscan.nse. NSEdoc at the top should cover the options and usage, but the rundown on the options are confidence, delay and numtrips just like the original qscan has.Great work Kris! I wish I could provide some scan results which show it working well, but I've only been able to test it against virtual machines on the same network (one VM with some open ports, masqerading for other VMs on a different subnet) and even though I've experimented with different values for confidence, delay and numtrips I think the round trip times I've seen aren't sufficiently stable and/or different to distinguish between families. What we need is a public test machine...
Thanks for testing, jah (and everyone)! Any testing is good for me ;) You made me want to test more, so I've just decided to copy the results for some hosts on my LAN below (more output for others to see is a good thing I suppose). The output has been changed just slightly per David's email. This is an old, unused VoIP gateway with SSH forwarded to a host over the internet (this one lets you do that while many little devices that I've seen only let you do forward in-LAN, like my wrt54g below): | qscan: | PORT FAMILY MEAN (ms) STDDEV LOSS (%) | 21 0 3.70 1.25 0.0% | 22 1 77.70 0.95 0.0% | 23 0 3.60 1.26 0.0% | 25 0 3.50 0.85 0.0% | 80 0 4.10 2.13 0.0% |_443 0 3.20 0.79 0.0% This is a directly connected host connected by serial line (ppp): | qscan: | PORT FAMILY MEAN (ms) STDDEV LOSS (%) | 21 0 9.40 2.63 0.0% | 22 0 10.30 2.75 0.0% | 23 0 8.80 3.33 0.0% | 25 0 11.30 2.75 0.0% | 80 0 8.00 2.21 0.0% |_443 0 8.30 4.14 0.0% This is my main Linksys gateway (I'm investigating [or been meaning to...] the packet loss which looks to somehow be its faulty stock software because both this and ipidseq can temporarilly bring down the httpd without meaning to, for no reason; maybe it's dd-wrt time for this one too): | qscan: | PORT FAMILY MEAN (ms) STDDEV LOSS (%) | 21 0 2.90 0.57 0.0% | 23 0 2.50 0.53 0.0% | 80 0 3.14 1.35 30.0% |_443 0 3.29 1.25 30.0% This is the same Linksys but from the outside (delay=300), with telnet forwarded to the VoIP gateway above: | qscan: | PORT FAMILY MEAN (ms) STDDEV LOSS (%) | 21 0 2.70 1.25 0.0% | 22 0 2.50 0.53 0.0% | 23 1 4.80 0.63 0.0% | 25 0 2.40 0.52 0.0% | 80 0 2.40 0.70 0.0% |_443 0 2.40 0.52 0.0% So these types of tests are the best I can do, but qscan seems to prove itself useful and accurate for me.
One thing I noticed is that qscan.nse runs against targets when only a single port was specified, I think that if less than two ports are in a testable state then qscan shouldn't run (unless maybe if it was explicitly requested).
Good find, but actually this was silently fixed in my last attached script. I forgot to mention it in the email...
Still, once we can be confident of it's effectiveness, it's a neat script to have in our arsenal!
Great, I'm glad you think so! Maybe my tests above have instilled a little of that confidence in you? :-P Nah, hopefully qscan can do that itself when you get a chance to test outside of VMs. I'm going to try to fix up the docs per David's suggestions and commit today (last day of spring break... oh noes).
Cheers, jah
Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLplZ9AAoJEEQxgFs5kUfutY8P+wRvS0CTfeazjdOT7OX18aGa /j7DMIOjesD//GAlUBecM/zt16BcT3eFcVxN4QqP4F4NCV3sQsC7TR5JjkUAxNvV 9d095KsNJWyxWK0ZJTBdnv0fKqi8g4gWeR2B+mW6ZfdgreuQZEHJU2+yg7p26ahk IdIfXf+Ng5eXeWo62y3wQUHmfI7Je4otyQNsf0FZkCy+nK1BRawt9SSYW4ts7kUs YN+ZiFOLKSfGod2Iq3hrzxMKyRynszmv57FiH9o6l4zbX+j+ZIr9xGvv7Td0490a aZpIMTr+khqMmsLfpCT+WqMV6hGxAIaVzeFix4VbwNNpzENQShZD/KSsGDNbut2W l47i+MVZ17WyzT6fgZXAJdLmMFyNGBPs+xuEdDZm8sO7C/0c84qxJHQMjJ+rC2is CiT8nZWPx3fahqCw8PmfsifEVALBavk1O16Au27JQmuKreGGKaj+kSJYF/agN3E1 xKqt6F3oc7DzMvhIFolVjMKxb2oOglLe6trZ4Hla9OmrMLUZRVlw4PTvupC/7eou iv0uSqgyMuKy+CMx1WKSYyHZHOV4Xf9a7yHj48vxCMpZ8yRMPVfELNNmol/U7d3o W1rB98tH7lAOE6k+RVailNdpr8bRm3XkPn/YOPrffD58moeEpmAd25khRifw6UcZ uIrNwg/rQXKCkQy3pNko =hcmQ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Qscan in NSE: qscan.nse, (continued)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 19)
- Re: Qscan in NSE: qscan.nse David Fifield (Mar 20)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 18)
- Re: Qscan in NSE: qscan.nse doug (Mar 20)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Qscan against localhost David Fifield (Mar 20)
- Re: Qscan in NSE: qscan.nse jah (Mar 21)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Re: Qscan in NSE: qscan.nse jah (Mar 22)
- Re: Qscan in NSE: qscan.nse Ron (Mar 22)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 23)