Nmap Development mailing list archives

Re: [Branch] --ignore-after

From: Jay Bosamiya <jaybosamiya () gmail com>
Date: Mon, 18 Aug 2014 18:00:49 +0530

On Sunday 17 August 2014 11:41 AM, Fyodor wrote:

Here it is only 3 days later and I'm already second guessing myself
:).  I'm starting to think that "50%,80" would be better for -T4.
 That way, for -F, we'd only ignore if at least 80 ports were open.
 And for a default (1,000 port) scan, we'd only skip if 500 or more
were open.  I think 500 open ports out of 1,000 is not a normal system
and doing version detection and NSE against all those will likely
waste a lot of time.

For -T5, maybe a "40%,60" threshold would be good.

Right now, in the nmap-exp branch, -T4 gives "90%,90" and -T5 gives
"80%,80".  This means, even with -T5, an all-ports scan ("-p-") would
require 52,428 open ports before bailing.  With "40%,60", we could
quit sooner--after 26,214 open ports found.  And for a default (ports)
scan, we could move on after 400 open instead of waiting for 800.

Cheers,
Fyodor

I've been confused about the constants ever since I initially put them
in. Over time, I've been wanting to keep reducing the constants.

I think that the only way we are going to be able to decide on good
values is if we can decide upon what is the "normal" number of open
ports and what is not.

For the min open ports (the num part of "per%,num"), I think that 80 for
-T4 and 60 for -T5 makes sense. However, I'd suggest dropping the
percentage part even further.

For a default scan (1000 port), more than 100 open ports is not "normal"
IMHO. When we go into all-ports scan, waiting even until 26,214 too
seems unneeded. I've yet to come across a "normal" system with more than
50 open ports. However, people who've been using Nmap for longer than I
have might be able to give a better insight into this.

Currently, I propose -T4 = "10%,80", -T5 = "5%,60"
This would work this way

        Number of ports scanned
        Number of ports after which to ignore (for -T4)
        Number of ports after which to ignore (for -T5)
Fast scan "-F"
        100
        80
        60
Default Scan
        1000
        100
        60
All port scan "-p-"
        65,535
        6,554
        3,277


What do you all think?

Cheers,
Jay
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Jacek Wielemborek (Jul 30)
  - Re: [Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Fyodor (Aug 13)
  - Re: [Branch] --ignore-after Fyodor (Aug 16)
    - Re: [Branch] --ignore-after Jay Bosamiya (Aug 18)
    - Re: [Branch] --ignore-after Daniel Miller (Sep 17)
    - Re: [Branch] --ignore-after Jay Bosamiya (Sep 18)
    - Re: [Branch] --ignore-after Daniel Miller (Sep 18)