Nmap Development mailing list archives

Re: Idea: Use results from host discovery phase in port scan phase

From: David Fifield <david () bamsoftware com>
Date: Mon, 14 Mar 2011 15:42:31 -0700

On Fri, Mar 04, 2011 at 12:37:20PM -0600, Daniel Miller wrote:

Hi list,

The default host discovery option is equivalent to -PE -PS443 -PA80
-PP. If we run this hypothetical scan:

nmap -p 443 encrypted.google.com

there is a duplication of effort, as evidenced by this tcpdump output:

12:28:23.536532 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S],
seq 3892202539, win 1024, options [mss 1460], length 0
12:28:23.707793 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags
[S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430],
length 0
12:28:23.707853 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R],
seq 3892202540, win 0, length 0
12:28:23.891905 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S],
seq 2244006275, win 2048, options [mss 1460], length 0
12:28:24.071209 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags
[S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430],
length 0
12:28:24.071251 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R],
seq 2244006276, win 0, length 0


That's a good idea. If someone wants to write a patch I think it would
be welcome.

A more extreme idea is to match UDP payload replies during port scanning
or host discovery, and avoid some duplication of effort in service
detection. It would be kind of like how NSE scripts can change service
information.

Interestingly, this command:

nmap -PE -p 443 encrypted.google.com

also shows the host as up, but only generates one SYN-SYN/ACK-RST
handshake, indicating that the man page is incorrect in its ordering
of the probes.


Are you sure? You haven't specified a TCP host discovery in the command
above, so exactly one SYN is expected. I just tested with --packet-trace
and I get

SENT (0.0800s) ICMP 10.32.136.151 > 74.125.224.65 Echo request (type=8/code=0) ttl=39 id=14470 iplen=28
RCVD (0.0850s) ICMP 74.125.224.65 > 10.32.136.151 Echo reply (type=0/code=0) ttl=52 id=29397 iplen=28
SENT (0.1440s) TCP 10.32.136.151:60579 > 74.125.224.65:443 S ttl=38 id=34845 iplen=44  seq=158718695 win=3072 <mss 1460>
RCVD (0.1570s) TCP 74.125.224.65:443 > 10.32.136.151:60579 SA ttl=52 id=29398 iplen=44  seq=1448735918 win=5720 <mss 
1430>

Adding -PS443 adds another SYN to port 443, but it comes after the first
echo.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 04)
- Re: Idea: Use results from host discovery phase in port scan phase David Fifield (Mar 14)
  - Re: Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 14)
- Re: Idea: Use results from host discovery phase in port scan phase Fyodor (Mar 15)