Nmap Development mailing list archives
Re: Stumbling into the obvious
From: David Fifield <david () bamsoftware com>
Date: Tue, 13 Apr 2010 08:44:48 -0600
On Tue, Apr 13, 2010 at 09:14:39AM -0400, Stephen Kleine wrote:
From: David Fifield [mailto:david () bamsoftware com] Sent: Friday, April 09, 2010 3:14 PM To: Stephen Kleine Cc: nmap-dev () insecure org Subject: Re: Stumbling into the obvious On Fri, Apr 09, 2010 at 09:32:13AM -0400, Stephen Kleine wrote:Obligatory Notice: I'm a relative newcomer to NMAP. After reading about the Mayo Clinic's scan in the book, I did some research on commonly-used windows ports. I've come up with this scan for windows systems nmap -p 1-1023,1067,1068,1270,1433,1434,1645,1646,1701,1723,1755,1801,1812,1813,1900,2101,2103,2105,2107,2393,2394,2460,2535,2701-2704,2725,2869,3268,3269,3343,3389,3527,4011,4500,5000,5004,5005,5722,6001,6002,6004,42424,51515 -T3 -n -PNTell us more about the research you did. How much overlap is there with Nmap's default 1000-port list? You can easily extract the port list from XML output. ------ There is a fair amount of overlap between the Normal scan and the windows scan I've found (both do the bottom 1023 ports, PPTP is well within the top 67 ports, etc.)
Nmap doesn't scan all of the bottom 1023 ports anymore. You may be using an old version. Now it's the top 1000 by how likely they are to be open.
As for research on the windows specific ports, those can be found at http://support.microsoft.com/kb/832017#5 on the table Ports and Protocols.
Thanks, that's a good link to have. I measured the overlap. Ignoring ports 1-1023, there are 44 ports in the Windows list. Nmap's default gets all but 17 of them: 1270,1645,1646,1701,1813,2101,2460,2535,2703,2704,3343,4011, 4500,5005,5722,42424,51515 According to the Microsoft page, though, 10 of these remaining ports are UDP-only (1645,1646,1701,1813,2460,2535,3343,4011,4500,5005), so it's no surprise they don't appear among the top TCP ports. The remaining TCP ports are 1270,2101,2703,2704,5722,42424,51515 Increasing it to --top-ports 2000, the list becomes 2703,2704,5722,42424,51515 So Nmap is doing a pretty good job of finding these Windows ports, just based on empirical measurements. You could get a little better coverage by using that full Windows port list, but then you're spending time scanning ports that are unlikely to be open. Those five remaining ports were found open at most once in over 10,000 hosts in our testing. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Stumbling into the obvious Stephen Kleine (Apr 09)
- Re: Stumbling into the obvious David Fifield (Apr 09)
- Message not available
- Re: Stumbling into the obvious David Fifield (Apr 13)
- Message not available
- RE: Stumbling into the obvious Stephen Kleine (Apr 13)
- Re: Stumbling into the obvious David Fifield (Apr 09)