Re: sV scanning with set src port?

[Daniel Miller <bonsaiviking () gmail com>]

Mike,

Not a silly question: some services like IKE expect a specific source port.
Unfortunately, we currently only use the -g source port option for raw
packet scans like -sS and -O. To do so with regular sockets, which are used
via Nsock for -sV and NSE, we would need to bind to a local port, and the
OS (TCP/IP stack) only allows one socket to be bound to a given port at any
time, with a delay between the last time a bound socket was closed and the
next time that number can be bound. This would slow down scans a lot, since
Nmap parallelizes version scanning and NSE.

You can see some code to bind to low-numbered ports in rpc.lua, since some
RPC services (NFS, for instance) require that. The code tries several
different ports, since many scripts can be running at once.

Dan

On Sun, May 1, 2016 at 5:39 AM, Mike . <dmciscobgp () hotmail com> wrote:

> hello
>
>
> hopefully this can get answered. last things i posted got nothing. if this
> sounds silly, i apologize. if i wanted to a sV scan with a set src port for
> all services fired off, can it be done? i noticed when i was setting a
> certain src port, through packet dumps i was seeing nmap changing it on the
> fly (the scan itself was using defined src port until it got to the service
> detection). i realize that certain services will only talk through exact
> matching ports/etc. can this be overridden? do i have to set an arg for
> each individual service/script? do we have a universal "set src port for
> all script tests"? again, silly, then sorry
>
>
> Mike
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/