Nmap Announce mailing list archives
Re: Firewalled Flooding
From: Fyodor <fyodor () dhp com>
Date: Sun, 21 Nov 1999 04:20:22 -0500 (EST)
On Fri, 5 Nov 1999, phantom rewt wrote:
Question: Can I use nmap to scan ONLY open ports and ignore the filtered ones? Is there such an option?
An option to only scan the open ports? If Nmap knew which ports were open then there wouldn't be much point in scanning :). Seriously though -- I agree that Nmap does take too long to scan some heavily filtered hosts. The root of the problem is that when hosts don't give *any* type of response to the scan, Nmap does not know whether it is safe to speed up. And it has to perform more retransmissions to account for the possibility that the probe packet was dropped on the network by a congested router rather than intentionally by a firewall. That being said, there are *some* optimisations I can do to speed up these types of scans. I have released 2.3BETA8 which makes major strides in this area (but keep in mind it will still be much slower than scanning unfirewalled hosts). See http://www.insecure.org/nmap/ . Here are the changes for BETA8: -- Added "firewall mode" timing optimizations which can decrease the ammount of time neccessary to SYN or connect scan some heavily filtered hosts. -- Added min_rtt_timeout timing option (see man page for details) -- Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS called Snort was using this to detect Nmap TCP Pings). -- Some changes for better Alpha/Linux support based on investigation by Bill Beers <wbeers () carolina rr com> -- Applied changes for FDDI support by Tobias J. Nijweide <tobias () mesa nl -- Applied a socket binding patch from LaMont Jones <lamont () security hp com> which can be useful when using -S to specify one of multiple interfaces on a machine. -- Made OS detection smart enough to first check scan results for a known closed port instead of immediately resorting to a random one. This improves OS detection against some machines behind packet filters. (suggested by van Hauser) -- Applied a shortcut suggestion by Thomas Reinke which can lead to a tremendous speedup against some firewalled hosts. -- Added some ports commonly used for RPC to nmap-services -- Fixed a problem with the timing of an RPC scan (could come before the UDP scans they rely on) -- Added a number of new ports to nmap-services Note that this version does not include new fingerprints -- I haven't had a chance to integrate them in yet. By the way, does anyone know of a fast HTTP Basic Auth cracker for UNIX? I've seen ADM's http-crack and ADMw3pass, but I am looking for something faster. It would be nice if it did sshd as well :). I'll write my own if I have to, but I wanted to see what you guys are using first. Cheers, Fyodor -- Fyodor 'finger pgp () pgp insecure org | pgp -fka' Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/ "The percentage of users running Windows NT Workstation 4.0 whose PCs stopped working more than once a month was less than half that of Windows 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp
Current thread:
- Firewalled Flooding phantom rewt (Nov 20)
- <Possible follow-ups>
- Re: Firewalled Flooding Fyodor (Nov 21)