Nmap notes from a few conferences

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fellow Nmapers,

I recently spent some time at a couple of security-focused conferences
where Nmap was discussed extensively.  Specifically, I presented at
Internet2 DDCSW on Nmap:
http://security.internet2.edu/ddcsw/

and attended the SANS Pentesting Summit:
http://www.sans.org/pentesting09_summit/


I took notes about some of the topics in the presentations and
discussions I had with other security professionals so here are my
notes, opinions, and conclusions about the current state of Nmap and
people's perceptions about it.

* Overall the public perception that Nmap is just a port scanner is
  slowly changing.  Beyond OS and Service fingerprinting, people are
  starting to become aware of --traceroute, NSE, Zenmap, and some of
  the other features we've worked so hard on.

* There are several people that want to release some tool
  disk/tarball/distribution but are holding off because they want to
  integrate a new stable Nmap with all of the great features we've
  added recently.  It's great that we're gearing up for a major
  release, a lot of people are waiting for one.

* Nmap+NSE is making its way into hacking/pentesting/security course
  material.  The more examples and documentation we provide about some
  of Nmap's cooler features the faster instructors are going to add
  more Nmap to their curriculum.

* NSE is being presented in a very good light.  The people that are
  aware of it seem to love it.  Leading the way seems to be
  smb-check-vulns.  Obviously people don't think Nmap is a direct Nessus
  competitor but smb-check-vulns and NSE are starting to get Nmap
  mentioned alongside Nessus when discussing vulnerability scanning.

* People don't seem to know about nbstat.nse and are still talking
  about nbtscan.  Ron did some very good work with nbstat.  I don't
  think people know how scan a very large network for UDP/137 quickly.
  In our documentation I think we should try to highlight how to use
  nbstat.nse really quickly.

* People are using Nmap for host discovery *a lot* but there are some
  pretty negative opinions about our old default of -PE -PA80.  The
  great new is that David did a bunch of work to find a new set of
  probes with much better coverage.  Security and network pros are
  going to love this change.  We need to make sure we advertise that
  the default changed to something much smarter.  The fact that David
  did a bunch of empirical analysis and has published numbers is going
  to help even more.

* People are using Nmap for a generic IP generation tool.  It seems
  that there aren't any good tools out there for random IP generation,
  generation of IPs in ranges like 192.168.*.1-254, etc.  People really
  like how Nmap does things in that regard.  I'm not sure people know
  about -sL though.  A lot of people are doing the IP generation with
  -sP and a simple probe.  In the past we have discussed adding more
  features to our -iR syntax and I have some cool ideas about how to do
  duplicate-free random IP generation in constant memory.  If there are
  areas where we can improve Nmap as a IP tool we should seriously
  think about it.

* I have now seen some *really crazy* bash command lines for grabbing
  NSE script data out of scans.  Things like "$ nmap | sed | awk | cut |
  egrep | sed | perl | awk | tr | sort | xargs ..." and in general I
  think people love NSE but don't think the output is very machine
  readable.  In fact, it is very hard to really grad NSE output from a
  normal -oN scan.  XML makes it easy to get the script output but
  since script output is mostly free-form people are having trouble
  parsing it.  I don't know what the solution is but we might think
  about working on NSE output.  Perhaps giving script the option of
  outputting XML so that we aren't embedding -oN script output inside
  of XML.  Also, we might think about adding a new script output format
  like -oC that is "grepable" or "machine readable" script output.  We
  should think about NSE script output before we have too many scripts
  to add or change the output format.

* Most people don't know about Ndiff and wish out-loud that a tool like
  Ndiff existed.  Others used a very old version of Ndiff and felt like
  it had a lot of deficiencies.  A lot of work was put into improving
  Ndiff and we need to make sure the public knows about Ndiff and these
  improvements.

* Large network operators still don't think of Nmap as scaling to their
  environment.  The most negativity I heard about Nmap came from people
  with more than 1 /16 network.  Part of the problem is that -T5 is a
  timing option, not a "large network" option.  People seem to think
  about tuning the --xxx-rtt-timout options and --xxx-parallelism
  options without touching the --xxx-hostgroup options.  Our
  global-congestion-control (g-cc) algorithm is also penalizing people
  scanning large networks.  David and Fyodor have put a bunch of time
  into thinking about g-cc and ways it can be improved.  I've talked
  with David about a number of ideas and I hope at some point this
  summer I can try some his ideas for improving g-cc.  In the mean
  time, Nmap can still scan large networks, we just need to make sure
  that the documentations and examples are out there.  This is mostly
  what my DDCSW presentation was about.

* People love Nmap and the new stuff we're adding is only making it
  better.  We're doing a great job.


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkou/eAACgkQqaGPzAsl94LKZQCfX+L8waPNh1NAVT0cYcHED7+3
1ekAnA6DLCYn8NtdMsUDP8pHSVaDaCkR
=b3g9
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org