Nmap Development mailing list archives

Re: Qscan in NSE: qscan.nse

From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 21 Mar 2010 12:25:17 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2010 06:26 AM, jah wrote:

On 18/03/2010 02:06, Kris Katterjohn wrote:

Luckily I had some of free time this afternoon and got a script
written up,
attached as qscan.nse.  NSEdoc at the top should cover the options and
usage,
but the rundown on the options are confidence, delay and numtrips just
like
the original qscan has.

Great work Kris!  I wish I could provide some scan results which show it
working well, but I've only been able to test it against virtual
machines on the same network (one VM with some open ports, masqerading
for other VMs on a different subnet) and even though I've experimented
with different values for confidence, delay and numtrips I think the
round trip times I've seen aren't sufficiently stable and/or different
to distinguish between families.
What we need is a public test machine...


Thanks for testing, jah (and everyone)!  Any testing is good for me ;)

You made me want to test more, so I've just decided to copy the results for
some hosts on my LAN below (more output for others to see is a good thing I
suppose).  The output has been changed just slightly per David's email.

This is an old, unused VoIP gateway with SSH forwarded to a host over the
internet (this one lets you do that while many little devices that I've seen
only let you do forward in-LAN, like my wrt54g below):

| qscan:
| PORT  FAMILY  MEAN (ms)  STDDEV  LOSS (%)
| 21    0       3.70       1.25    0.0%
| 22    1       77.70      0.95    0.0%
| 23    0       3.60       1.26    0.0%
| 25    0       3.50       0.85    0.0%
| 80    0       4.10       2.13    0.0%
|_443   0       3.20       0.79    0.0%

This is a directly connected host connected by serial line (ppp):

| qscan:
| PORT  FAMILY  MEAN (ms)  STDDEV  LOSS (%)
| 21    0       9.40       2.63    0.0%
| 22    0       10.30      2.75    0.0%
| 23    0       8.80       3.33    0.0%
| 25    0       11.30      2.75    0.0%
| 80    0       8.00       2.21    0.0%
|_443   0       8.30       4.14    0.0%

This is my main Linksys gateway (I'm investigating [or been meaning to...] the
packet loss which looks to somehow be its faulty stock software because both
this and ipidseq can temporarilly bring down the httpd without meaning to, for
no reason; maybe it's dd-wrt time for this one too):

| qscan:
| PORT  FAMILY  MEAN (ms)  STDDEV  LOSS (%)
| 21    0       2.90       0.57    0.0%
| 23    0       2.50       0.53    0.0%
| 80    0       3.14       1.35    30.0%
|_443   0       3.29       1.25    30.0%

This is the same Linksys but from the outside (delay=300), with telnet
forwarded to the VoIP gateway above:

| qscan:
| PORT  FAMILY  MEAN (ms)  STDDEV  LOSS (%)
| 21    0       2.70       1.25    0.0%
| 22    0       2.50       0.53    0.0%
| 23    1       4.80       0.63    0.0%
| 25    0       2.40       0.52    0.0%
| 80    0       2.40       0.70    0.0%
|_443   0       2.40       0.52    0.0%


So these types of tests are the best I can do, but qscan seems to prove itself
useful and accurate for me.

One thing I noticed is that qscan.nse runs against targets when only a
single port was specified, I think that if less than two ports are in a
testable state then qscan shouldn't run (unless maybe if it was
explicitly requested).


Good find, but actually this was silently fixed in my last attached script.  I
forgot to mention it in the email...

Still, once we can be confident of it's effectiveness, it's a neat
script to have in our arsenal!


Great, I'm glad you think so!  Maybe my tests above have instilled a little of
that confidence in you? :-P  Nah, hopefully qscan can do that itself when you
get a chance to test outside of VMs.

I'm going to try to fix up the docs per David's suggestions and commit today
(last day of spring break... oh noes).

Cheers,

jah


Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLplZ9AAoJEEQxgFs5kUfutY8P+wRvS0CTfeazjdOT7OX18aGa
/j7DMIOjesD//GAlUBecM/zt16BcT3eFcVxN4QqP4F4NCV3sQsC7TR5JjkUAxNvV
9d095KsNJWyxWK0ZJTBdnv0fKqi8g4gWeR2B+mW6ZfdgreuQZEHJU2+yg7p26ahk
IdIfXf+Ng5eXeWo62y3wQUHmfI7Je4otyQNsf0FZkCy+nK1BRawt9SSYW4ts7kUs
YN+ZiFOLKSfGod2Iq3hrzxMKyRynszmv57FiH9o6l4zbX+j+ZIr9xGvv7Td0490a
aZpIMTr+khqMmsLfpCT+WqMV6hGxAIaVzeFix4VbwNNpzENQShZD/KSsGDNbut2W
l47i+MVZ17WyzT6fgZXAJdLmMFyNGBPs+xuEdDZm8sO7C/0c84qxJHQMjJ+rC2is
CiT8nZWPx3fahqCw8PmfsifEVALBavk1O16Au27JQmuKreGGKaj+kSJYF/agN3E1
xKqt6F3oc7DzMvhIFolVjMKxb2oOglLe6trZ4Hla9OmrMLUZRVlw4PTvupC/7eou
iv0uSqgyMuKy+CMx1WKSYyHZHOV4Xf9a7yHj48vxCMpZ8yRMPVfELNNmol/U7d3o
W1rB98tH7lAOE6k+RVailNdpr8bRm3XkPn/YOPrffD58moeEpmAd25khRifw6UcZ
uIrNwg/rQXKCkQy3pNko
=hcmQ
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Qscan in NSE: qscan.nse, (continued)
- - - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 19)
    - Re: Qscan in NSE: qscan.nse David Fifield (Mar 20)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 18)
    - Re: Qscan in NSE: qscan.nse doug (Mar 20)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Qscan against localhost David Fifield (Mar 20)
    - Re: Qscan in NSE: qscan.nse jah (Mar 21)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Re: Qscan in NSE: qscan.nse jah (Mar 22)
    - Re: Qscan in NSE: qscan.nse Ron (Mar 22)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 23)