Suggestion for change of nmap ping + scan behavior

[Wolfric <wolfric1 () gmail com>]

Hey Folks

Going to just throw an idea out there. Currently it seems there are
two stages of port scanning (not counting the version detection and
scripting stages). The ping scan and the port scan.
A host has to have at least one test come out positive in the ping
scan to pass into the port scan phase however the results of that ping
scan aren't brought forth. So if i did

nmap -PS80 -p 22 someip , the results will just show port 22 open
(assuming both 22 and 80 are open).

The simplest change would be to simply add an option to take the
results of the ping scan along with any ports that weren't scanned,
and add the ping results to the port results and the unscanned ports
to the "to be scanned list"

An alternative perhaps would be a stage scanning. You simply define
stages by prefacing an option with a number so -1p or something like
that and if one or more of the first stage scanning conditions are
met, it moves onto the second stage.

This third thought is most likely far too complex to be a main feature
and probably would suit better in a script if it was possible, but in
addition to these sorts of stages of scanning, I think open port
triggered scans would be handy. So you scan for your average top ports
such as 80 or 443 or 143. If you find a certain port such as port 80
open, you add to the list of ports, all ports related to web. So
alternative web ports, database ports etc. A server with some sort of
games daemon installed would then look for other game server ports.

With the average person's busy schedule, I'm not expecting these to be
implemented but if they sound good, I'd look forward to seeing them in
future releases

Wolfric
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/