Nmap Development mailing list archives
Idea: --show-ttl (like --reason)
From: Jacek Wielemborek <d33tah () gmail com>
Date: Wed, 09 Jul 2014 12:17:17 +0200
List, Ever since I discovered -oX -, I missed some of the data it displays in Nmap's default output mode. Compare these two:
$ nmap scanme.nmap.org -Pn -n -p 80 Starting Nmap 6.45 ( http://nmap.org ) at 2014-07-09 12:01 CEST Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.19s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
And the XML output:
$ nmap scanme.nmap.org -Pn -n -p 80 -oX - <?xml version="1.0"?> <!DOCTYPE nmaprun PUBLIC "-//IDN nmap.org//DTD Nmap XML 1.04//EN" "https://svn.nmap.org/nmap/docs/nmap.dtd"> <?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?> <!-- Nmap 6.45 scan initiated Wed Jul 9 12:01:04 2014 as: nmap -Pn -n -p 80 -oX - scanme.nmap.org --> <nmaprun scanner="nmap" args="nmap -Pn -n -p 80 -oX - scanme.nmap.org" start="1404900064" startstr="Wed Jul 9 12:01:04 2014" version="6.45" xmloutputversion="1.04"> <scaninfo type="syn" protocol="tcp" numservices="1" services="80"/> <verbose level="0"/> <debugging level="0"/> <host starttime="1404900064" endtime="1404900065"><status state="up" reason="user-set" reason_ttl="0"/> <address addr="74.207.244.221" addrtype="ipv4"/> <hostnames> <hostname name="scanme.nmap.org" type="user"/> </hostnames> <ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="50"/><service name="http" method="table" conf="3"/></port> </ports> <times srtt="190339" rttvar="190339" to="951695"/> </host> <runstats><finished time="1404900065" timestr="Wed Jul 9 12:01:05 2014" elapsed="0.93" summary="Nmap done at Wed Jul 9 12:01:05 2014; 1 IP address (1 host up) scanned in 0.93 seconds" exit="success"/><hosts up="1" down="0" total="1"/> </runstats> </nmaprun>
While most of the data shown in the XML file can be inferred or enabled by using various command-line switches such as -v or --reason, one piece of information that is particularly difficult to extract is the "reason_ttl" field, which could carry interesting information. The only way I found to display it in the normal output mode is by enabling debugging output, which makes it hard to read. Perhaps it would be better to have an additional column in scan results, just like --reason, which would just show the TTL to make it easier to note load balancers and such? I'm thinking of something like this:
$ nmap scanme.nmap.org -Pn -n -p 80 --reason --show-ttl Starting Nmap 6.45 ( http://nmap.org ) at 2014-07-09 12:01 CEST Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.19s latency). PORT STATE SERVICE REASON TTL 80/tcp open http syn-ack 50 Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
Also, shouldn't -v (or -vv or even higher) imply --reason and maybe --show-ttl? What do you think? Jacek
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Idea: --show-ttl (like --reason) Jacek Wielemborek (Jul 09)
- Re: Idea: --show-ttl (like --reason) John (Jul 09)
- Re: Idea: --show-ttl (like --reason) Daniel Miller (Jul 09)