Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: [RFC] Ndiff

Re: [RFC] Ndiff

From: Fyodor <fyodor_at_insecure.org>
Date: Wed, 2 Jul 2008 23:09:43 -0700

On Sun, Jun 15, 2008 at 11:10:32PM -0600, David Fifield wrote:
> On Sun, Jun 15, 2008 at 10:14:18PM -0500, Thomas Buchanan wrote:
> > <ports><extraports state="filtered" count="65509">
> > <extrareasons reason="no-responses" count="65509"/>
> > </extraports>
> > <extraports state="closed" count="26">
> > <extrareasons reason="resets" count="26"/>
> > </extraports>
> > </ports>
> > ...
> > There's no way to tell from this scan if port 53, for example, is one of
> > the closed ports, or one of the filtered. So in that case, a diff tool
> > wouldn't be able to specify. But where it is possible, I think it's
> > useful information.
>
> That's a good point. It should be possible to tell the state of every
> single scanned port from the XML output in all cases. When there's more
> than one extraports element, you can't. I think Nmap should just bite
> the bullet in this case and list all the ports in that state, like in
> the services attribute of the scaninfo element.

I agree that it "should" theoretically be possible. But the current
setup is a compromise between the ideal of showing the state and
reason for all the ports, and the practical limitation in the size of
results people want to deal with. It isn't uncommon to find hosts
which have 1,000 closed ports (usually the non-open ports < 1024) and
64,000 filtered ports. And I'd guess that in 99% of the cases people
don't really care which ports were closed versus filtered. Imagine a
worst case scenario with 30K filtered ports, 30K closed ports, and
different reasons for each.

I suppose the XML could list the port numbers in the same format as
scaninfo does. Though people then might expect the same in the
extrareasons attribute.

So I guess what I'm trying to say is that I don't consider it
essential to list the port numbers in extraports. After all, I have
trouble thinking of many non-contrived practical uses. But I'm not
opposed to it either if good efforts are made to limit the size, such
as using hyphens when there are more than a couple consecutive port
number, and maybe only including the list if there is more than one
extraports. If someone wants to implement this, its fine with me. I
do agree that it is a little goading to not know which ports are
which, despite lack of reasons to usually do so :).

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Jul 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]