Nmap Development mailing list archives
Re: [RFC] Should --open prevent other scan phases (NSE, -sV, -O, etc.) from running?
From: Fyodor <fyodor () nmap org>
Date: Sat, 3 Jun 2017 15:16:46 -0700
On Wed, May 17, 2017 at 2:29 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
The trouble here is that several scan phases could have been run on this host and produced output that will never be shown. NSE (hostrule scripts), traceroute, and even OS detection are attempted, with no possibility of the output ever being shown to the end user. There are two options that I would like feedback on: First, we could use the same logic that is used to skip the output for a host in order to skip the work of further scan phases. This changes Nmap's behavior the most, but its output the least. It could considerably speed up --open scans. Second, we could change the logic for choosing to display output in order to display hosts that have some useful output even if they have no open ports and --open was specified. This would not slow down Nmap at all, since the same work is being done, but it reduces the usefulness of the --open option in conjunction with scans involving more than just a port scan (-A, for instance).
Hi Dan. Good question. Since this only affects the (fairly rare) case where a user specifies both --open and advanced phase options such as -O, --traceroute, -sC, etc. I see two reasons someone might want to do this: 1) They only want the advanced phase results from systems which have at least one port open (possibly a specific port they specified with -p). They don't want to waste time performing further scans or bloating results output for hosts which don't have any of the specified port(s) open. Your solution #1 will be better for these people, and this is basically how it works now (except that Nmap still wastes time computing non-displayed results. Nmap currently doesn't even give the host results in XML output. 2) Users want all of the results they asked for about each up host (including OS detection or script results), but they just don't want to see a bunch of closed/filtered ports cluttering the output. But this is not how Nmap works now, and it would also conflict with the documentation which says that you can "specify --open to only see hosts with at least one open, open|filtered, or unfiltered port." And if we were to include (say) traceroute or OS detection results for no-open-port hosts, one could argue that we should also show the DNS and mac address information we may already have for those hosts. But I think doing so would clutter results for the common use case of users who only want to see the hosts with open ports. Given this, I agree that your solution #1 is better. If users really want to see information on the hosts without open port(s), they shouldn't specify --open at all. And if the issue is just that they don't like seeing closed or filtered ports in the output, that's easy to grep out in the normal output or filter from XML. Cheers, Fyodor
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] Should --open prevent other scan phases (NSE, -sV, -O, etc.) from running? Daniel Miller (May 17)
- Re: [RFC] Should --open prevent other scan phases (NSE, -sV, -O, etc.) from running? Fyodor (Jun 03)