Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Using --top-ports for UDP selection only?
From: Chris Clements <cclements () flatearth net>
Date: Thu, 28 Apr 2011 10:06:05 -0500

Makes sense.  Actually a bit embarrassed I didn't think of getting the top
UDP ports like that before…

I also agree with your thoughts on increasing complexity, however, my
argument would be that this particular scenario is (or will become) very
common.  Specifically due to PCI ASV scanning requirements:

From the ASV program guide, page 13:

Perform service discovery

The ASV scan solution must perform a port scan on all Transmission Control
Protocol (TCP) ports. The ASV scan solution must also perform a port scan on
common User Datagram Protocol (UDP) ports, including UDP ports related to
the following services:
* Authentication services such as RADIUS and Kerberos
* Backdoors and remote access applications
* Backup applications
* Database servers
* DNS (Domain Name System)
* NetBIOS and CIFS
* NFS (Network File System)
* NTP (Network Time Protocol)
* P2P (peer-to-peer) and chat applications
* Routing protocols, including RIP (Routing Information Protocol)
* RPC (Remote Procedure Call) and RPC endpoint mapping
* SNMP (Simple Network Management Protocol) and SNMP trap
* Syslog
* TFTP (Trivial File Transfer Protocol)
* NPNs (Virtual Private Networks), including ISAKMP, L2TP, and NAT-T
* Other common UDP ports that may expose the scan customer to
vulnerabilities, including ports associated with malicious activity
Just my 2 cents.  Thanks as always for such a great tool.


From:  Fyodor <fyodor () insecure org>
Date:  Thu, 28 Apr 2011 01:38:48 -0700
To:  Chris Clements <cclements () flatearth net>
Cc:  "nmap-dev () insecure org" <nmap-dev () insecure org>
Subject:  Re: Using --top-ports for UDP selection only?

On Thu, Apr 21, 2011 at 12:59:41PM -0500, Chris Clements wrote:
Hi all,

Is there a way I can tell nmap to scan all TCP ports, but only the top, say,
200 most common UDP ports?  My first thought was to use "�op-ports 200" and
specifying only TCP ports with ­p (-p T:1-65535), but it seems that
specifying specific TCP ports  overrides the top port selection for UDP.

Admittedly this is a little bit of a hack, but I first generate the
list of top UDP ports (10 in this case):

./nmap -oX - -sU --top-ports 10

The output 'scaninfo' line includes the services list in Nmap format:


So then I can run Nmap with:

-p T:1-65535,U:53,67,123,135,137-138,161,445,631,1434

Of course if this becomes a common incantation, you save the Nmap
command string to use later.  Or you can get all fancy and make a
custom nmap-services with just those ports you're interested in.

Maybe we could make this easier with special options (or changes to
the way existing options are interpreted).  But I worry about making
Nmap's command-line API even more complex.  And there are a lot of
things people might want to do.  In your case you want "all TCP ports
but only the top UDP ports".  Other people might want "the top 100 TCP
ports, plus these few", and still others might say "the top 100 ports,
except definitely not hpjetdirect".  So maybe it is easiest for people
to just get the port string as shown above and manipulate it as they
wish, then pass it to Nmap.


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]