mailing list archives
Nmap notes from a few conferences
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 10 Jun 2009 00:27:06 +0000
-----BEGIN PGP SIGNED MESSAGE-----
I recently spent some time at a couple of security-focused conferences
where Nmap was discussed extensively. Specifically, I presented at
Internet2 DDCSW on Nmap:
and attended the SANS Pentesting Summit:
I took notes about some of the topics in the presentations and
discussions I had with other security professionals so here are my
notes, opinions, and conclusions about the current state of Nmap and
people's perceptions about it.
* Overall the public perception that Nmap is just a port scanner is
slowly changing. Beyond OS and Service fingerprinting, people are
starting to become aware of --traceroute, NSE, Zenmap, and some of
the other features we've worked so hard on.
* There are several people that want to release some tool
disk/tarball/distribution but are holding off because they want to
integrate a new stable Nmap with all of the great features we've
added recently. It's great that we're gearing up for a major
release, a lot of people are waiting for one.
* Nmap+NSE is making its way into hacking/pentesting/security course
material. The more examples and documentation we provide about some
of Nmap's cooler features the faster instructors are going to add
more Nmap to their curriculum.
* NSE is being presented in a very good light. The people that are
aware of it seem to love it. Leading the way seems to be
smb-check-vulns. Obviously people don't think Nmap is a direct Nessus
competitor but smb-check-vulns and NSE are starting to get Nmap
mentioned alongside Nessus when discussing vulnerability scanning.
* People don't seem to know about nbstat.nse and are still talking
about nbtscan. Ron did some very good work with nbstat. I don't
think people know how scan a very large network for UDP/137 quickly.
In our documentation I think we should try to highlight how to use
nbstat.nse really quickly.
* People are using Nmap for host discovery *a lot* but there are some
pretty negative opinions about our old default of -PE -PA80. The
great new is that David did a bunch of work to find a new set of
probes with much better coverage. Security and network pros are
going to love this change. We need to make sure we advertise that
the default changed to something much smarter. The fact that David
did a bunch of empirical analysis and has published numbers is going
to help even more.
* People are using Nmap for a generic IP generation tool. It seems
that there aren't any good tools out there for random IP generation,
generation of IPs in ranges like 192.168.*.1-254, etc. People really
like how Nmap does things in that regard. I'm not sure people know
about -sL though. A lot of people are doing the IP generation with
-sP and a simple probe. In the past we have discussed adding more
features to our -iR syntax and I have some cool ideas about how to do
duplicate-free random IP generation in constant memory. If there are
areas where we can improve Nmap as a IP tool we should seriously
think about it.
* I have now seen some *really crazy* bash command lines for grabbing
NSE script data out of scans. Things like "$ nmap | sed | awk | cut |
egrep | sed | perl | awk | tr | sort | xargs ..." and in general I
think people love NSE but don't think the output is very machine
readable. In fact, it is very hard to really grad NSE output from a
normal -oN scan. XML makes it easy to get the script output but
since script output is mostly free-form people are having trouble
parsing it. I don't know what the solution is but we might think
about working on NSE output. Perhaps giving script the option of
outputting XML so that we aren't embedding -oN script output inside
of XML. Also, we might think about adding a new script output format
like -oC that is "grepable" or "machine readable" script output. We
should think about NSE script output before we have too many scripts
to add or change the output format.
* Most people don't know about Ndiff and wish out-loud that a tool like
Ndiff existed. Others used a very old version of Ndiff and felt like
it had a lot of deficiencies. A lot of work was put into improving
Ndiff and we need to make sure the public knows about Ndiff and these
* Large network operators still don't think of Nmap as scaling to their
environment. The most negativity I heard about Nmap came from people
with more than 1 /16 network. Part of the problem is that -T5 is a
timing option, not a "large network" option. People seem to think
about tuning the --xxx-rtt-timout options and --xxx-parallelism
options without touching the --xxx-hostgroup options. Our
global-congestion-control (g-cc) algorithm is also penalizing people
scanning large networks. David and Fyodor have put a bunch of time
into thinking about g-cc and ways it can be improved. I've talked
with David about a number of ideas and I hope at some point this
summer I can try some his ideas for improving g-cc. In the mean
time, Nmap can still scan large networks, we just need to make sure
that the documentations and examples are out there. This is mostly
what my DDCSW presentation was about.
* People love Nmap and the new stuff we're adding is only making it
better. We're doing a great job.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
- Nmap notes from a few conferences Brandon Enright (Jun 10)