Nmap Development mailing list archives
Idea: Use results from host discovery phase in port scan phase
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 4 Mar 2011 12:37:20 -0600
Hi list, The default host discovery option is equivalent to -PE -PS443 -PA80 -PP. If we run this hypothetical scan: nmap -p 443 encrypted.google.com there is a duplication of effort, as evidenced by this tcpdump output: 12:28:23.536532 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S], seq 3892202539, win 1024, options [mss 1460], length 0 12:28:23.707793 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags [S.], seq 3887723085, ack 3892202540, win 5720, options [mss 1430], length 0 12:28:23.707853 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R], seq 3892202540, win 0, length 0 12:28:23.891905 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [S], seq 2244006275, win 2048, options [mss 1460], length 0 12:28:24.071209 IP 74.125.227.36.443 > 192.168.1.142.48137: Flags [S.], seq 3893282166, ack 2244006276, win 5720, options [mss 1430], length 0 12:28:24.071251 IP 192.168.1.142.48137 > 74.125.227.36.443: Flags [R], seq 2244006276, win 0, length 0 Interestingly, this command: nmap -PE -p 443 encrypted.google.com also shows the host as up, but only generates one SYN-SYN/ACK-RST handshake, indicating that the man page is incorrect in its ordering of the probes. But my main point is: can we use the fact that the host discovery phase found port 443 open to skip scanning it again in the port scanning phase? I realize not much is gained, but in terms of IDS evasion, it might be just enough to make some difference, especially if the number of scanned ports is relatively low (e.g. 1 or 2). If something is made of this, then other scan types could benefit as well. Results from -PA feed -sA, -PE and -PP feed -sO, etc. Just a suggestion. Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 04)
- Re: Idea: Use results from host discovery phase in port scan phase David Fifield (Mar 14)
- Re: Idea: Use results from host discovery phase in port scan phase Daniel Miller (Mar 14)
- Re: Idea: Use results from host discovery phase in port scan phase Fyodor (Mar 15)
- Re: Idea: Use results from host discovery phase in port scan phase David Fifield (Mar 14)