Home page logo

nmap-dev logo Nmap Development mailing list archives

Idea: Use results from host discovery phase in port scan phase
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 4 Mar 2011 12:37:20 -0600

Hi list,

The default host discovery option is equivalent to -PE -PS443 -PA80
-PP. If we run this hypothetical scan:

nmap -p 443 encrypted.google.com

there is a duplication of effort, as evidenced by this tcpdump output:

12:28:23.536532 IP > Flags [S],
seq 3892202539, win 1024, options [mss 1460], length 0
12:28:23.707793 IP > Flags
[S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430],
length 0
12:28:23.707853 IP > Flags [R],
seq 3892202540, win 0, length 0
12:28:23.891905 IP > Flags [S],
seq 2244006275, win 2048, options [mss 1460], length 0
12:28:24.071209 IP > Flags
[S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430],
length 0
12:28:24.071251 IP > Flags [R],
seq 2244006276, win 0, length 0

Interestingly, this command:

nmap -PE -p 443 encrypted.google.com

also shows the host as up, but only generates one SYN-SYN/ACK-RST
handshake, indicating that the man page is incorrect in its ordering
of the probes. But my main point is: can we use the fact that the host
discovery phase found port 443 open to skip scanning it again in the
port scanning phase? I realize not much is gained, but in terms of IDS
evasion, it might be just enough to make some difference, especially
if the number of scanned ports is relatively low (e.g. 1 or 2).

If something is made of this, then other scan types could benefit as
well. Results from -PA feed -sA, -PE and -PP feed -sO, etc. Just a

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]