Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: Version scanning reports it scans UDP ports while is doesn't
From: Fyodor <fyodor () insecure org>
Date: Fri, 20 Jan 2006 16:47:10 -0800
On Thu, Jan 19, 2006 at 05:52:06PM +0000, Richard van den Berg wrote:

I am playing with the version scanning options of nmap 3.95, and found
something strange. When running

nmap -A -T4 -vv -oA outfile scanme.nmap.org

outfile.gnmap mentions it scans 1670 TCP ports, and 0 UDP and 0
PROTOCOLS. Just as I expected. However, if I use

nmap -A -T4 -p- -vv -oA outfile scanme.nmap.org

outfile.gnmap suddenly mentions it scans 65535 TCP, 65535 UDP and 255
PROTOCOLS. Eek.


I'm not sure how this really hurts anything (Nmap just treats a normal
-p option as specifying TCP, UDP, and protocol port numbers, but they
aren't actually scanned unless the relevant scan type is used).  But I
suppose it would be more cosistant (and slightly more efficient) for
Nmap to only include ports that matter for the scan type(s) you
specified.  Here is a patch that should do the trick and will be in
the next release:

Index: nmap.cc
===================================================================
--- nmap.cc     (revision 3050)
+++ nmap.cc     (working copy)
@@ -227,6 +227,7 @@
   char **fakeargv;
   Target *currenths;
   vector<Target *> Targets;
+  char *portlist = NULL; /* Ports list specified by user */
   char *proberr;
   char emptystring[1];
   int sourceaddrwarning = 0; /* Have we warned them yet about
   unguessable
@@ -709,11 +710,9 @@
       }
       break;
     case 'p': 
-      if (ports)
+      if (ports || portlist)
        fatal("Only 1 -p option allowed, separate multiple ranges with
        commas.");
-      ports = getpts(optarg);
-      if (!ports)
-       fatal("Your port specification string is not parseable");
+      portlist = strdup(optarg);
       break;
     case 'q': quashargv++; break;
     case 'R': o.resolve_all++; break;
@@ -853,6 +852,14 @@
     fatal("The fast scan (-F) is incompatible with ping scan");
   }
 
+  if (portlist) {
+    ports = getpts(portlist);
+    if (!ports)
+      fatal("Your port specification string is not parseable");
+    free(portlist);
+    portlist = NULL;
+  }
+
   if (fastscan && ports) {
     fatal("You can specify fast scan (-F) or explicitly select
     individual ports (-p), but not both");
   } else if (fastscan && o.ipprotscan) {
@@ -1488,8 +1495,15 @@
   int i;
   int tcpportcount = 0, udpportcount = 0, protcount = 0;
   struct scan_lists *ports;
-  int range_type = SCAN_TCP_PORT|SCAN_UDP_PORT|SCAN_PROTOCOLS;
+  int range_type = 0;
 
+  if (o.TCPScan())
+    range_type |= SCAN_TCP_PORT;
+  else if (o.UDPScan())
+    range_type |= SCAN_UDP_PORT;
+  else if (o.ipprotscan)
+    range_type |= SCAN_PROTOCOLS;
+
   porttbl = (u8 *) safe_zalloc(65536);
 
   current_range = origexpr;


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]