Re: [RFC] Should --open prevent other scan phases (NSE, -sV, -O, etc.) from running?

[Fyodor <fyodor () nmap org>]

On Wed, May 17, 2017 at 2:29 PM, Daniel Miller <bonsaiviking () gmail com>
wrote:
> The trouble here is that several scan phases could have been run on this
> host and produced output that will never be shown. NSE (hostrule scripts),
> traceroute, and even OS detection are attempted, with no possibility of the
> output ever being shown to the end user.
>
> There are two options that I would like feedback on:
>
> First, we could use the same logic that is used to skip the output for a
> host in order to skip the work of further scan phases. This changes Nmap's
> behavior the most, but its output the least. It could considerably speed up
> --open scans.
>
> Second, we could change the logic for choosing to display output in order
> to display hosts that have some useful output even if they have no open
> ports and --open was specified. This would not slow down Nmap at all, since
> the same work is being done, but it reduces the usefulness of the --open
> option in conjunction with scans involving more than just a port scan (-A,
> for instance).

Hi Dan.  Good question.  Since this only affects the (fairly rare) case
where a user specifies both --open and advanced phase options such as -O,
--traceroute, -sC, etc.  I see two reasons someone might want to do this:

1) They only want the advanced phase results from systems which have at
least one port open (possibly a specific port they specified with -p).
They don't want to waste time performing further scans or bloating results
output for hosts which don't have any of the specified port(s) open.  Your
solution #1 will be better for these people, and this is basically how it
works now (except that Nmap still wastes time computing non-displayed
results.  Nmap currently doesn't even give the host results in XML output.

2) Users want all of the results they asked for about each up host
(including OS detection or script results), but they just don't want to see
a bunch of closed/filtered ports cluttering the output.  But this is not
how Nmap works now, and it would also conflict with the documentation which
says that you can "specify --open to only see hosts with at least one open,
open|filtered, or unfiltered port."  And if we were to include (say)
traceroute or OS detection results for no-open-port hosts, one could argue
that we should also show the DNS and mac address information we may already
have for those hosts.  But I think doing so would clutter results for the
common use case of users who only want to see the hosts with open ports.

Given this, I agree that your solution #1 is better.  If users really want
to see information on the hosts without open port(s), they shouldn't
specify --open at all.  And if the issue is just that they don't like
seeing closed or filtered ports in the output, that's easy to grep out in
the normal output or filter from XML.

Cheers,
Fyodor

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/