Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Idea: Use results from host discovery phase in port scan phase
From: David Fifield <david () bamsoftware com>
Date: Mon, 14 Mar 2011 15:42:31 -0700

On Fri, Mar 04, 2011 at 12:37:20PM -0600, Daniel Miller wrote:
Hi list,

The default host discovery option is equivalent to -PE -PS443 -PA80
-PP. If we run this hypothetical scan:

nmap -p 443 encrypted.google.com

there is a duplication of effort, as evidenced by this tcpdump output:

12:28:23.536532 IP > Flags [S],
seq 3892202539, win 1024, options [mss 1460], length 0
12:28:23.707793 IP > Flags
[S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430],
length 0
12:28:23.707853 IP > Flags [R],
seq 3892202540, win 0, length 0
12:28:23.891905 IP > Flags [S],
seq 2244006275, win 2048, options [mss 1460], length 0
12:28:24.071209 IP > Flags
[S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430],
length 0
12:28:24.071251 IP > Flags [R],
seq 2244006276, win 0, length 0

That's a good idea. If someone wants to write a patch I think it would
be welcome.

A more extreme idea is to match UDP payload replies during port scanning
or host discovery, and avoid some duplication of effort in service
detection. It would be kind of like how NSE scripts can change service

Interestingly, this command:

nmap -PE -p 443 encrypted.google.com

also shows the host as up, but only generates one SYN-SYN/ACK-RST
handshake, indicating that the man page is incorrect in its ordering
of the probes.

Are you sure? You haven't specified a TCP host discovery in the command
above, so exactly one SYN is expected. I just tested with --packet-trace
and I get

SENT (0.0800s) ICMP > Echo request (type=8/code=0) ttl=39 id=14470 iplen=28
RCVD (0.0850s) ICMP > Echo reply (type=0/code=0) ttl=52 id=29397 iplen=28
SENT (0.1440s) TCP > S ttl=38 id=34845 iplen=44  seq=158718695 win=3072 <mss 1460>
RCVD (0.1570s) TCP > SA ttl=52 id=29398 iplen=44  seq=1448735918 win=5720 <mss 

Adding -PS443 adds another SYN to port 443, but it comes after the first

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]