Idea: Use results from host discovery phase in port scan phase

[Daniel Miller <bonsaiviking () gmail com>]

Hi list,

The default host discovery option is equivalent to -PE -PS443 -PA80
-PP. If we run this hypothetical scan:

nmap -p 443 encrypted.google.com

there is a duplication of effort, as evidenced by this tcpdump output:

12:28:23.536532 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S],
seq 3892202539, win 1024, options [mss 1460], length 0
12:28:23.707793 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags
[S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430],
length 0
12:28:23.707853 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R],
seq 3892202540, win 0, length 0
12:28:23.891905 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S],
seq 2244006275, win 2048, options [mss 1460], length 0
12:28:24.071209 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags
[S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430],
length 0
12:28:24.071251 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R],
seq 2244006276, win 0, length 0

Interestingly, this command:

nmap -PE -p 443 encrypted.google.com

also shows the host as up, but only generates one SYN-SYN/ACK-RST
handshake, indicating that the man page is incorrect in its ordering
of the probes. But my main point is: can we use the fact that the host
discovery phase found port 443 open to skip scanning it again in the
port scanning phase? I realize not much is gained, but in terms of IDS
evasion, it might be just enough to make some difference, especially
if the number of scanned ports is relatively low (e.g. 1 or 2).

If something is made of this, then other scan types could benefit as
well. Results from -PA feed -sA, -PE and -PP feed -sO, etc. Just a
suggestion.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/