Re: Nmap questions for the experts

["Ray Winata" <mr.ray.winata () gmail com>]

Hi Mark,

1. I don't think you can run the scan from 2 source port at a time.
But u can run 2 nmap scan at a time.
2. usuallay we use nmap for first step of pen test doing the network
reconnaisance. To gather as much information we can get. Actually we
can get more information from nmap not only to find open port, OS
version only. Play around with fin, null scan or zombie and see the
different result. If the customer already have firewall sometimes
they'll drop your packet and block your IP, if they detect a port
scan. Samspade also a good point to start with. Then continue using
nessus for further analysis like vulnerability mapping for doing
exploitation ( if the customer approved that we allowed to do that).
3. you can specify port range, -p U:53,111,137,T:21-25,80,139,8080. -u
for UDP and -p for TCP
4. this take a long time to proceed, and we still have to use lots
other tools and process as well. Depends on howmuch the customer wants
to pay for the project.
5 and 6, it's just one of those things happened. What tiger box do you
build for these tools? I prefer red hat to build my tiger box, just
run smoothly.

Cheers - Ray

On 7/24/08, Javier Reyna Padilla <jreyna () onlinet com mx> wrote:
> Just  few comments:
>
>
> Javier Reyna
>
> mark mark wrote:
> > Hi,
> >
> > I have some questions regarding nmap. I'm not sure if this is the
> > proper list, i just searched google and found some people asking
> > nmap-related questions here. Anyway, here are my questions:
> >
> >
> > 1. Is there any way I can specify two different source port for nmap's
> > -g when doing a TCP and UDP scan at the same time? Usually, I specify
> > -g 53. However, I think it would be more effective if I will use port
> > 20 (ftp) as my TCP source port, and just use port 50(DNS) as my UDP
> > source port. I tried specifying both but only the latter port was used
> > by nmap.
>
> If you wanto to do something special with packets,, try hping or scapy,, I
> really love scapy.
> > 2. Do you really use nmap before running nessus? I just read the
> > methodology in our report template and read that the reason why nmap
> > is being used before nessus is because it lessens the amount of work
> > done by nessus in doing port scanning. Only open ports will be fed to
> > nessus for vulnerability assessment. However when doing security
> > assessment, I noticed that most of pentesters rely heavily on nessus
> > and just completely forget about nmap since nessus can also do port
> > scanning and os fingerprinting as well.
> I run nmap sometimes, but nessus does it really well so mapping with nmap
> ans then with nessus i think is a little redundant.
>
> > 3. Is there any way I can specify a file which contains a list of
> > ports that I want to exclude from my scan? I've read the nmap manual
> > and learned that by default it scans for upto 1024 + all those higher
> > numbered ports listed in nmap-services. After running a scan, I wanted
> > to scan all the ports up to 65535 but I don't want to include all
> > those ports that have already been scanned by nmap.
> >
> > Here is the nmap command I use all the time during a pentest project:
> >
> >  nmap -PE -PM -PO -PS -PA -PP -PU -n -sS -sU -g 53 -sV --version-all
> > -O -T4  --open --log-errors --reason -iL targets.txt -oN syn.txt
> >
> > 4. Do you also use host discovery that heavily using all combinations
> > of techniques or you just don't do host discovery at all (-PN)?
> > I notice that most of my collegues ignore host discovery totally,
> > while I prefer doing it extensively (all techniques), so that I can
> > decrease the port scan time yet with a reliable result (not missing a
> > host protected by firewall).
> I do not use host discovery, because some hosts have already firewalls and
> drop pings, so if you know the host is there you have already dicovered it
> right? So just portscan it.  Ofcourse you doesn't know all host, it takes a
> little more time to scan without host discovery but the scan does not stop
> because of  blocked icmp.
>
> > 5. Sometimes I encounter error saying "Negative Time Delta...
> > QUITTING" and tried searching google but couldn't find anything
> > useful. Any idea what's the cause of it? After getting that error i
> > just simply run the scan again and it would start working fine again.
> >
> > 6. Anyone experiencing this error "nselib not a directory" when
> > running the script scan?
> >
> >
> >
> > That's all for now..
> > thanks for your replies.
> >
> > -mark