Re: NSE without ping or port scanning: interface ideas

[Tom Sellers <nmap () fadedcode net>]

On Jul 10, 2009, at 2:40 PM, David Fifield <david () bamsoftware com>  
wrote:

> nmap -sC -sP -PN
> This is what I used in my tests. A problem is the seemingly
> contradictory options -sP -PN. You have to think of -sP not as "ping
> scan" but as "don't port scan."
>
> nmap -sC -sL
> This one is nice because -sL already means "no ping or port scan."
> However it means that -sL is no longer a guaranteed "safe" scan that
> doesn't contact the targets.
>
> nmap -sC -PN -s0
> -s0 is a made-up option that means "don't port scan," analogous to - 
> PN.
> -sN would be a better match but that is already NULL scan.
>
> None of these choices is compelling so I'm open to other ideas.

I would favor a single option that would trigger this mode instead of  
combining options.  During security tests, troubleshooting and  
development it would be useful in the future to be able to invoke nmap  
in "engine" or "script only" mode.   This would put nmap a step closer  
to being even more useful as a vulnerability assessment engine.

My suggestions would be along the lines of:

-c, --core
-e, --engine
-u, --utility


> Another idea I'd like to solicit comments on is to allow -p to be used
> with -sP -sC. The port list would be a list of ports that are  
> assumed to
> be open on each host, without doing a port scan. This would allow
> running port scripts, not just host scripts, with -sP. Assuming the
> ports to be open would work much the same way as -PN assumes hosts  
> to be up.

Sound perfect.

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org