Re: Nmap questions for the experts

[Javier Reyna Padilla <jreyna () onlinet com mx>]

Just  few comments:


Javier Reyna

mark mark wrote:
> Hi,
>
> I have some questions regarding nmap. I'm not sure if this is the
> proper list, i just searched google and found some people asking
> nmap-related questions here. Anyway, here are my questions:
>
>
> 1. Is there any way I can specify two different source port for nmap's
> -g when doing a TCP and UDP scan at the same time? Usually, I specify
> -g 53. However, I think it would be more effective if I will use port
> 20 (ftp) as my TCP source port, and just use port 50(DNS) as my UDP
> source port. I tried specifying both but only the latter port was used
> by nmap.
>   

If you wanto to do something special with packets,, try hping or scapy,, 
I really love scapy.
> 2. Do you really use nmap before running nessus? I just read the
> methodology in our report template and read that the reason why nmap
> is being used before nessus is because it lessens the amount of work
> done by nessus in doing port scanning. Only open ports will be fed to
> nessus for vulnerability assessment. However when doing security
> assessment, I noticed that most of pentesters rely heavily on nessus
> and just completely forget about nmap since nessus can also do port
> scanning and os fingerprinting as well.
>   
I run nmap sometimes, but nessus does it really well so mapping with 
nmap ans then with nessus i think is a little redundant.

> 3. Is there any way I can specify a file which contains a list of
> ports that I want to exclude from my scan? I've read the nmap manual
> and learned that by default it scans for upto 1024 + all those higher
> numbered ports listed in nmap-services. After running a scan, I wanted
> to scan all the ports up to 65535 but I don't want to include all
> those ports that have already been scanned by nmap.
>
> Here is the nmap command I use all the time during a pentest project:
>
>  nmap -PE -PM -PO -PS -PA -PP -PU -n -sS -sU -g 53 -sV --version-all
> -O -T4  --open --log-errors --reason -iL targets.txt -oN syn.txt
>
> 4. Do you also use host discovery that heavily using all combinations
> of techniques or you just don't do host discovery at all (-PN)?
> I notice that most of my collegues ignore host discovery totally,
> while I prefer doing it extensively (all techniques), so that I can
> decrease the port scan time yet with a reliable result (not missing a
> host protected by firewall).
>
>   
I do not use host discovery, because some hosts have already firewalls 
and drop pings, so if you know the host is there you have already 
dicovered it right? So just portscan it.  Ofcourse you doesn't know all 
host, it takes a little more time to scan without host discovery but the 
scan does not stop because of  blocked icmp.
> 5. Sometimes I encounter error saying "Negative Time Delta...
> QUITTING" and tried searching google but couldn't find anything
> useful. Any idea what's the cause of it? After getting that error i
> just simply run the scan again and it would start working fine again.
>
> 6. Anyone experiencing this error "nselib not a directory" when
> running the script scan?
>
>
>
> That's all for now..
> thanks for your replies.
>
> -mark
>
>