Re: [Patch] --exclude-ports option for Nmap

[Daniel Miller <bonsaiviking () gmail com>]

On Wed, Jun 18, 2014 at 10:01 AM, Jay Bosamiya <jaybosamiya () gmail com>
wrote:

> Hi All!
>
> Attached is the patch for --exclude-ports option for Nmap. A discussion
> for it had occured at [1] before.
>
> When coding it in, however, I realized that we should probably block
> even host discovery (ACK, SYN and such) if the user asks for it.
> The current patch takes care of such cases and shows relevant error
> messages (for example, try running "nmap --unprivileged -sn
> --exclude-ports 80,443").
>
> I've also modified some error messages that were shown previously (when
> user gives invalid port specifications) so that it matches with
> --exclude-ports too.
>
> All tests that I ran on my machine passed.
>
> What I'm not so sure about is something like "nmap --exclude-ports
> 1-1000 {target}". With the current patch, it correctly shows a warning
> that it is skipping TCP ping scan (the reason is that 80 and 443 are
> excluded). This might seem like a nuisance to some since they might not
> care how host discovery is done (and that's why they left it at default).
> Should I rewrite the warning part so that it appears only if non default
> host discovery is done?
> Another possibility is that I could show the warning always (if non
> default) and only when -d is used (if default host). I personally think
> that this second method might be more useful, but I think this might
> require some thought.
>
> Feedback is welcome as always. :)
>
> Cheers,
> Jay
>
> Links:
> [1] http://seclists.org/nmap-dev/2014/q2/400
Jay,

There is a problem with the patch in handling exclusions of host discovery
ports when --top-ports is given: excluded ports are still used in this
case. This is because the exclusion is being handled by gettoppts (which
does not affect ping ports) only, and not by removepts (which handles all
port/protocol types). I think this can be fixed by removing the conditional
on line 1558, and simply running removepts regardless. I have not tested
that hypothesis, though, so you may come up with a better fix.

In general, though, your feature is looking good. I do think that the
warning should be shown in all cases where an entire ping type is excluded,
because otherwise we will get bug reports that Nmap is not detecting some
host that they know is up (perhaps because it is blocking ICMP, and we
excluded the available TCP ping ports.)

An alternative to simply dropping the default TCP ping ports would be to
choose them as the first-and-second-most popular ports after exclusions.
This would have the advantage of not eliminating a host discovery type
altogether, but it would mean a change to the way things currently work
without --exclude-ports, since the 2 most-popular ports are 80 and 23 (443
is 3rd place). I only bring this up as a discussion point; please don't
spend time implementing it, since it's not likely to be a desired feature.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/