Nmap Development mailing list archives

Re: nmap and a new idea

From: Fyodor <fyodor () insecure org>
Date: Sun, 7 Mar 2004 15:54:00 -0800

On Fri, Feb 13, 2004 at 08:49:11AM -0600, phaseone () sio midco net wrote:


i have read about using RTO (reset time out) analyses using a tool like RING 
http://www.planb-security.net/wp/ring.html
this concept is quite unique, in that it only needs 1 PACKET / 1
PORT to do it's job. it simply sends the standard SYN , waits for the
SYN/ACK and then lets the socket end time out on the target , using
the RTO value from the stack (specific to each vendor)


This technique was considered when I first added OS detection to Nmap
6 years ago (and you can find Usenet threads suggesting the method
much farther back than that).  While this technique can be valuable in
some circumstances, it will never be added to Nmap for several major
reasons:

1) It usually requires modifying the source host firewall rules so
   that your system doesn't RST the SYN/ACK that it receives.  That is
   very hard to do in a portable way.  And even if it was easy, it can
   annoy users when applications start adding filtering rules.

2) It is very slow.  I don't want to wait several minutes (or even 45
   seconds) to time retransmission delays.

There are numerous other issues, but those two are the main ones.
There are plenty of other techniques that give you just as much
information without these hassles.  I do plan to overhaul the OS
detection system this year, adding many more techniques.  I have been
keeping a list for the last year or two of tests that I would like to
add.  I will also solicit ideas from you guys on the nmap-dev list
(though new ideas are welcome anytime - please send them to the list
for discussion).

seperate and call their "own", but it seems to me, if the nmap
community would take ideas from everyone and build on others' tools
and ideas and concepts, nmap


I have no compunctions about taking ideas from other tools, and I will
always endeavor to credit them when I do so.  That is a key benefit of
open source.  Of course Nmap is also GPL and so other tools can (and
do) take ideas and code from it.  Syn scanning, Idle scanning, OS
detection, and version detection (among many others) were all
available in other tools before being implemented in Nmap.  I do like
to think that the Nmap implementations offers many benefits over the
other tools, but it will never be the best for every possible purpose.

Cheers,
Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

nmap and a new idea phaseone (Feb 13)
- Re: nmap and a new idea Fyodor (Mar 07)
  - Re: nmap and a new idea Dual Mobius (Mar 07)
    - Re: nmap and a new idea Fyodor (Mar 08)