|
Nmap Development
mailing list archives
Re: Feature Request: --top-ports option for -PS when performing host discovery
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 20 Feb 2008 01:05:14 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not yet. This is something Doug has wanted for a long time.
The list of "top" 50 ports is open for quite a bit of debate and
varies quite a bit from institution to institution. The way I
accomplish this sort of host discovery is to run two scans:
nmap -P0 -T5 -p 7,9,13,17,21,22,.... -oG discov <targets>
Then, I grep for 'open' in the log:
egrep 'Host.*open' discov.gnmap | awk '{print $2}' | sort | uniq >
list.txt
Then I use the list as input into another Nmap scan:
nmap -iL list.txt ...
Now that Nmap has gotten the mass-ping-migration this can be combined
into one long list on -PS where before it was limited to just a few
ports.
You'll probably do well to come up with your own list of top 50 ports
for whatever network you are scanning. Of course,
21,22,135,139,80,443,445,1025,3389,5000,... are always going to be a
part of the list but at UCSD for example, 8192-8194 are very popular
here.
Here is one quick-n-dirty way to get port counts:
$ egrep -o '[[:digit:]]+\/open\/tcp' openx11.gnmap | sort | uniq -c | sort -nr
443 6000/open/tcp
104 6001/open/tcp
92 6002/open/tcp
56 6004/open/tcp
10 6005/open/tcp
9 6003/open/tcp
7 6006/open/tcp
4 6007/open/tcp
2 6009/open/tcp
2 6008/open/tcp
You can tweak the regex to handle other formats (including XML and
Normal) if needed.
If you do end up getting a decent top port list, I'm sure there are
others on the list who would be interested.
Here is our top 50 list:
$ egrep -o '[[:digit:]]+\/open\/tcp' ../all.gnmap | sort | uniq -c | sort -nr | head -n 50
5349 139/open/tcp
5160 445/open/tcp
4882 22/open/tcp
3164 3389/open/tcp
2937 80/open/tcp
2466 135/open/tcp
2119 2701/open/tcp
2114 2702/open/tcp
1771 23/open/tcp
1405 443/open/tcp
1252 5900/open/tcp
1133 8193/open/tcp
1132 8192/open/tcp
1130 8194/open/tcp
1083 548/open/tcp
983 497/open/tcp
963 111/open/tcp
924 21/open/tcp
797 25/open/tcp
739 515/open/tcp
671 427/open/tcp
510 631/open/tcp
486 1025/open/tcp
434 2049/open/tcp
391 9100/open/tcp
377 1761/open/tcp
356 10000/open/tcp
311 6000/open/tcp
296 3306/open/tcp
257 3689/open/tcp
248 79/open/tcp
231 88/open/tcp
218 280/open/tcp
212 8080/open/tcp
205 2967/open/tcp
202 8000/open/tcp
199 514/open/tcp
184 49156/open/tcp
184 32768/open/tcp
182 143/open/tcp
177 993/open/tcp
175 389/open/tcp
172 49155/open/tcp
171 49154/open/tcp
171 49153/open/tcp
171 49152/open/tcp
170 110/open/tcp
170 1053/open/tcp
167 20828/open/tcp
162 625/open/tcp
Brandon
- --
Brandon Enright
Network Security Analyst
UCSD ACT/Network Security
bmenrigh () ucsd edu
On Tue, 19 Feb 2008 16:43:02 -0600
Nelson <komseh () gmail com> wrote:
I would like to be able to tell nmap to do host discovery with -PS
and send the TCP Syn Pings to the top X most common ports.
Something similar to: nmap -sP -PS --top50 xxx.xx.xxx.0/24
Does anyone else think this is useful, or is there a current way to
do this?
Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
iD8DBQFHu3zRqaGPzAsl94IRAmy7AJwLI6kuX0XR9RXZ72Z/OtP7PurW2gCgidhx
gCSgLqxiiI0lggb1YH3IbgU=
=8KgJ
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
|
Intro
