Nmap Development mailing list archives
Re: NSE without ping or port scanning: interface ideas
From: David Fifield <david () bamsoftware com>
Date: Sat, 18 Jul 2009 23:23:02 -0600
On Fri, Jul 10, 2009 at 01:40:26PM -0600, David Fifield wrote:
NSE can run host scripts without port scanning, only ping scanning, when you combine -sC with -sP. But sometimes you want to run scripts without even ping scanning. I had to do this while doing whois lookups to select hosts for the ping probe effectiveness tests; obviously I couldn't limit the host selection to hosts that the default host discovery found to be up. Script scanning without ping or port scanning isn't hard to implement, but we've been stumbling over the user interface. These are some ideas. nmap -sC -sP -PN This is what I used in my tests. A problem is the seemingly contradictory options -sP -PN. You have to think of -sP not as "ping scan" but as "don't port scan." nmap -sC -sL This one is nice because -sL already means "no ping or port scan." However it means that -sL is no longer a guaranteed "safe" scan that doesn't contact the targets. nmap -sC -PN -s0 -s0 is a made-up option that means "don't port scan," analogous to -PN. -sN would be a better match but that is already NULL scan.
Thanks everyone for your suggestions. Fyodor and I talked about this for a while. We decided on making -PN -sP the recommended way to disable both host discovery and port scanning for now. A good way to think about this is in terms of the phases of an Nmap scan. http://nmap.org/book/nmap-phases.html. Some phases are run by default, and have a switch to turn them off, and others are not run by default, and have a switch to turn them on. Run by default, with switch to turn off: -n DNS resolution -PN Host discovery -sP Port scanning Not run by default, with switch to turn on: -sV version detection -O OS detection -sC script scanning --traceroute traceroute Viewed in this way, the -PN -sP combination is orthogonal and makes perfect sense, as merely turning off two of the phases that run by default. The main problem is the varying syntax of the various options and the name -sP which suggests "ping scan." To overcome this, we're going to introduce -Pn and -sn synonyms for -PN and -sP. These won't be documented until a version of Nmap supporting them is more widespread. These will make the options to turn off the default phases more regular: -n DNS resolution -Pn Host discovery -sn Port scanning David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NSE without ping or port scanning: interface ideas David Fifield (Jul 10)
- Re: NSE without ping or port scanning: interface ideas Tom Sellers (Jul 10)
- Re: NSE without ping or port scanning: interface ideas Michael Pattrick (Jul 10)
- Re: NSE without ping or port scanning: interface ideas jah (Jul 10)
- Re: NSE without ping or port scanning: interface ideas David Fifield (Jul 18)
- Re: NSE without ping or port scanning: interface ideas Tom Sellers (Jul 10)