Nmap port frequency features added!

[Fyodor <fyodor () insecure org>]

Hi All.  I'm happy to report that I just committed some Nmap features
that I've wanted for years and talked about in depth at my recent
Black Hat Briefings and Defcon presentations in Las Vegas (I hope to
post a video of those talks soon).  After scanning tens of millions of
IPs on the Internet, I've expanded the nmap-services file to include
information on how frequently each port is found to be open.  This
enables Nmap to be much smarter about which ports it scans.

The first change from this is that Nmap now scans the most common
1,000 ports by default in either protocol (UDP scan is still
optional).  This is a decrease from 1,715 TCP ports and 1,488 UDP
ports in Nmap 4.68.  So Nmap is faster by default and, since the port
selection is better, often finds more of the open ports as well.

The fast scan (-F) has also changed.  Nmap -F now scans the top 100
ports by default in either protocol.  This is a decrease from 1,276
(TCP) and 1,017 (UDP) in Nmap 4.68, leading to an order of magnitude
decrease in port scanning time.  I'm particularly excited about the
implications for UDP scans, which many people previously didn't do
because it was slow and hard to disambiguate open from open|filtered
ports.  Now you can do "-sUV -F" to interrogate the top 100 ports and
try to receive a protocol response proving that they are open.  Here
is an example from my Defcon presentation:

nmap -sUV -F -T4 scanme.nmap.org 
  => Took 1 hour and 2 minutes with Nmap 4.68

Now that Nmap knows the most common ports, I try again with the svn
version:

nmap -sUV -F -T4 scanme.nmap.org
  => Took 6 minutes, 29 seconds with the port frequency (svn) version

That is a huge improvement, but it becomes even more dramatic when I
add the "--version-intensity 0" flag so that Nmap only tries probes
for protocols known to be found on the target port numbers:

nmap -sUV -F --version-intensity 0 -T4 scanme.nmap.org
  => Took 13 seconds

All three of these commands found the correct open port information.
But by using the latest version of Nmap (with this port frequency
feature) and knowing the ideal options, the scan time was reduced from
an hour to just 13 seconds!  I think the moral is to read the man page
carefully (and the upcoming Nmap book!) to optimize your scan times.

A related change is that the --top-ports option now lets you specify
the number of ports you wish to scan in each protocol, and will pick
the most popular ports for you based on the new frequency data.  For
both TCP and UDP, the top 10 ports gets you roughly half of the open
ports.  The top 1,000 (out of 65,536 possible) finds roughly 93% of the
open TCP ports and more than 95% of the open UDP ports.

Please try out the new features and let me know if you have any
problems!  This data was generated from my own scanning, and from some
helpful folks who contributed port frequencies from scanning their
organizations.  Also, David helped a lot in the coding department.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org