Nmap Development mailing list archives
Re: Stumbling into the obvious
From: David Fifield <david () bamsoftware com>
Date: Tue, 13 Apr 2010 08:44:48 -0600
On Tue, Apr 13, 2010 at 09:14:39AM -0400, Stephen Kleine wrote:
From: David Fifield [mailto:david () bamsoftware com] Sent: Friday, April 09, 2010 3:14 PM To: Stephen Kleine Cc: nmap-dev () insecure org Subject: Re: Stumbling into the obvious On Fri, Apr 09, 2010 at 09:32:13AM -0400, Stephen Kleine wrote:Obligatory Notice: I'm a relative newcomer to NMAP. After reading about the Mayo Clinic's scan in the book, I did some research on commonly-used windows ports. I've come up with this scan for windows systems nmap -p 1-1023,1067,1068,1270,1433,1434,1645,1646,1701,1723,1755,1801,1812,1813,1900,2101,2103,2105,2107,2393,2394,2460,2535,2701-2704,2725,2869,3268,3269,3343,3389,3527,4011,4500,5000,5004,5005,5722,6001,6002,6004,42424,51515 -T3 -n -PNTell us more about the research you did. How much overlap is there with Nmap's default 1000-port list? You can easily extract the port list from XML output. ------ There is a fair amount of overlap between the Normal scan and the windows scan I've found (both do the bottom 1023 ports, PPTP is well within the top 67 ports, etc.)
Nmap doesn't scan all of the bottom 1023 ports anymore. You may be using an old version. Now it's the top 1000 by how likely they are to be open.
As for research on the windows specific ports, those can be found at http://support.microsoft.com/kb/832017#5 on the table Ports and Protocols.
Thanks, that's a good link to have. I measured the overlap. Ignoring
ports 1-1023, there are 44 ports in the Windows list. Nmap's default
gets all but 17 of them:
1270,1645,1646,1701,1813,2101,2460,2535,2703,2704,3343,4011,
4500,5005,5722,42424,51515
According to the Microsoft page, though, 10 of these remaining ports are
UDP-only (1645,1646,1701,1813,2460,2535,3343,4011,4500,5005), so it's no
surprise they don't appear among the top TCP ports. The remaining TCP
ports are
1270,2101,2703,2704,5722,42424,51515
Increasing it to --top-ports 2000, the list becomes
2703,2704,5722,42424,51515
So Nmap is doing a pretty good job of finding these Windows ports, just
based on empirical measurements. You could get a little better coverage
by using that full Windows port list, but then you're spending time
scanning ports that are unlikely to be open. Those five remaining ports
were found open at most once in over 10,000 hosts in our testing.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Stumbling into the obvious Stephen Kleine (Apr 09)
- Re: Stumbling into the obvious David Fifield (Apr 09)
- Message not available
- Re: Stumbling into the obvious David Fifield (Apr 13)
- Message not available
- RE: Stumbling into the obvious Stephen Kleine (Apr 13)
- Re: Stumbling into the obvious David Fifield (Apr 09)