mailing list archives
nmap and another idea
From: <phaseone () sio midco net>
Date: Fri, 13 Feb 2004 09:08:21 -0600
we all can say that nmap , in it's current state, does a wonderful job. but we also realize that some of it's features
one nmap option that i have noticed that could be looked into a bit more, is the fingerprinting methods that it uses.
using several packets and needing 1 closed and 1 open port doesn't really do much for keeping traffic and anonymity
down to a minimum (which should be the goal to strive for when gleaming and passively gathering data)
i have read about using RTO (reset time out) analyses using a tool like RING http://www.planb-security.net/wp/ring.html
this concept is quite unique, in that it only needs 1 PACKET / 1 PORT to do it's job. it simply sends the standard SYN
, waits for the SYN/ACK and then lets the socket end time out on the target , using the RTO value from the stack
(specific to each vendor) and then pulling that value from a predefined database signature list.
now i understand that nmap is trying to "do it's own thing" and other people have written tools that maybe they would
like to keep seperate and call their "own", but it seems to me, if the nmap community would take ideas from everyone
and build on others' tools and ideas and concepts, nmap
could become the ideal and most powerful scanning/gleaming tool out there (it is already powerful now even in it's
anyway, these were just some thoughts and ideas for you to mull over...i thank you for your time /Mike
(phaseone () sio midco net)
"they call me a
criminal...as i am only merely an explorer"
- nmap and another idea phaseone (Feb 13)