Nmap Development mailing list archives
Re: Idea: Use results from host discovery phase in port scan phase
From: David Fifield <david () bamsoftware com>
Date: Mon, 14 Mar 2011 15:42:31 -0700
On Fri, Mar 04, 2011 at 12:37:20PM -0600, Daniel Miller wrote:
Hi list, The default host discovery option is equivalent to -PE -PS443 -PA80 -PP. If we run this hypothetical scan: nmap -p 443 encrypted.google.com there is a duplication of effort, as evidenced by this tcpdump output: 12:28:23.536532 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S], seq 3892202539, win 1024, options [mss 1460], length 0 12:28:23.707793 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags [S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430], length 0 12:28:23.707853 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R], seq 3892202540, win 0, length 0 12:28:23.891905 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S], seq 2244006275, win 2048, options [mss 1460], length 0 12:28:24.071209 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags [S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430], length 0 12:28:24.071251 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R], seq 2244006276, win 0, length 0
That's a good idea. If someone wants to write a patch I think it would be welcome. A more extreme idea is to match UDP payload replies during port scanning or host discovery, and avoid some duplication of effort in service detection. It would be kind of like how NSE scripts can change service information.
Interestingly, this command: nmap -PE -p 443 encrypted.google.com also shows the host as up, but only generates one SYN-SYN/ACK-RST handshake, indicating that the man page is incorrect in its ordering of the probes.
Are you sure? You haven't specified a TCP host discovery in the command above, so exactly one SYN is expected. I just tested with --packet-trace and I get SENT (0.0800s) ICMP 10.32.136.151 > 74.125.224.65 Echo request (type=8/code=0) ttl=39 id=14470 iplen=28 RCVD (0.0850s) ICMP 74.125.224.65 > 10.32.136.151 Echo reply (type=0/code=0) ttl=52 id=29397 iplen=28 SENT (0.1440s) TCP 10.32.136.151:60579 > 74.125.224.65:443 S ttl=38 id=34845 iplen=44 seq=158718695 win=3072 <mss 1460> RCVD (0.1570s) TCP 74.125.224.65:443 > 10.32.136.151:60579 SA ttl=52 id=29398 iplen=44 seq=1448735918 win=5720 <mss 1430> Adding -PS443 adds another SYN to port 443, but it comes after the first echo. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 04)
- Re: Idea: Use results from host discovery phase in port scan phase David Fifield (Mar 14)
- Re: Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 14)
- Re: Idea: Use results from host discovery phase in port scan phase Fyodor (Mar 15)
- Re: Idea: Use results from host discovery phase in port scan phase David Fifield (Mar 14)