Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Fwd: SOC idea
From: Jason Gerfen <jason.gerfen () gmail com>
Date: Sat, 11 Jan 2014 05:02:30 -0700

On Fri, Jan 10, 2014 at 8:22 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
On 01/10/2014 06:48 AM, Jason Gerfen wrote:

1. Your Github readme suggests that you might be using Nmap 5.51. If this
the case, do upgrade to the latest version before benchmarking your
otherwise you might be wasting time.

I am currently using and testing against 5.51, so green there.

The current version is 6.40, just to clarify. I am not really aware of any
significant changes in host discovery between these versions. Here are the
relevant entries in the changelog:

o Added a new --disable-arp-ping option. This option prevents Nmap
  from implicitly using ARP or ND host discovery for discovering
  directly connected Ethernet targets. This is useful in networks
  using proxy ARP, which make all addresses appear to be up using ARP
  scan. The previously recommended workaround for this situation,
  --send-ip, didn't work on Windows because that lame excuse for an
  operating system is still missing raw socket support.  [David
  Fifield (editorializing added by Fyodor)]

o Made source port numbers (used to encode probe metadata) increment
  so as not to overlap between different scanning phases. Previously
  it was possible for an RST response to an ACK probe from host
  discovery to be misinterpreted as a reply to a SYN probe from port
  scanning. [Sean Rivera, David Fifield]

o Targets requiring different source addresses now go into different
  hostgroups, not only for host discovery but also for port scanning.
  Before, only responses to one of the source addresses would be
  processed, and the others would be ignored. [David]

o Nmap has long supported IPv6 for basic (connect) port scans, basic
  host discovery, version detection, Nmap Scripting Engine.  This
  release dramatically expands and improves IPv6 support:
  + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
    etc.) are now supported. [David, Weilin]
  + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
    discovery packets, etc.) is now supported. [David, Weilin]
  + IPv6 traceroute is now supported [David]
  + The --exclude and --excludefile now support IPV6 addresses with
    netmasks.  [Colin]

2. Consider using -oX instead of -oG. This way you will get an ouput
less likely to be changed in the future. As far as I know, -oG is meant
being read by a human, not parsed by a machine.

Am I wrong to assume -oG will allow the following?

$ nmap -sn -oG - | awk 'up { print }'

Really due to the nature of the language, in this case node.js which
relies heavily upon Objects, and more specifically JSON formatted
objects a simple regex combined with a capture group of the results is
going to be faster than traversing XML elements.

-oG is "deprecated," which for our purposes means that the format is fixed
and will not change. New features (NSE scripts, traceroute, etc) will not
get their output added to -oG files. For host discovery, this is probably
sufficient for your purposes. Just realize that XML is more complete, if you
plan on extending your interface to support more thorough scanning.

Does that mean that it will be going away anytime soon? If so I would
move to parsing with XML or even leaving the XML response parsing to
anyone implementing the project but ideally a smaller footprint is
going to be ideal for this project.

Looks cool!

Thanks, I am working on the detail scanning portion now in branch v0.0.3-scan.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]