Nmap Development mailing list archives
Re: Question on --version-intensity and -sR interaction
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 12 Mar 2011 14:45:25 -0600
On Sat, Mar 12, 2011 at 12:53 PM, David Fifield <david () bamsoftware com> wrote:
On Fri, Mar 04, 2011 at 05:51:11PM -0800, Fyodor wrote:On Fri, Mar 04, 2011 at 06:12:40PM -0600, Daniel Miller wrote:which seems to contradict what you said about only if they are detected as "rpcbind."Well, the "only if detected as rpcbind" behavior is only true if version detection is requested. With just -sR, Nmap does as the man page suggests and sends a bunch of probes to every port. My feeling is that we should probably remove the -sR option, but keep RPC grinding as a part of version detection. Even the Nmap man page acknowledges that "As version detection includes this and is much more comprehensive, -sR is rarely needed". Even if all you need is RPC grinding, -sV is generally more efficient since it does the "is this service even RPC?" check first.There were some bugs such that -sV didn't automatically specify all of what -sR specified. Some examples from scanning NFS: # nmap -sU 192.168.0.2 -p nfs -sV PORT STATE SERVICE VERSION 2049/udp open nfs 2-4 (rpc #100003) # nmap -sU 192.168.0.2 -p nfs -sR PORT STATE SERVICE VERSION 2049/udp open nfs (nfs V2-4) 2-4 (rpc #100003) # nmap -sU 192.168.0.2 -p nfs -sVR PORT STATE SERVICE VERSION 2049/udp open nfs (nfs V2-4) 2-4 (rpc #100003) Also XML output differed: # nmap -sU 192.168.0.2 -p nfs -sV -oX - <service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10"/> # nmap -sU 192.168.0.2 -p nfs -sR -oX - <service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" highver="4" proto="rpc"/> # nmap -sU 192.168.0.2 -p nfs -sVR -oX - <service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" highver="4" proto="rpc"/>Does anyone here use -sR without version detection (-sV or -A)? Removing command-line arguments is less popular than adding them, but it's something we need to do to keep Nmap (and its documentation) from getting too bloated and confusing. So unless we hear from folks here who really like having -sR by itself, I think we'll undocument it. For compatibility, we'll probably make it an alias for -sV and print a warning that it is deprecated.I removed -sR as a separate option and made it an alias for -sV. This warning gets printed when you use -sR: WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan. The output of -sV is now the same as -sVR used to be. # nmap -sU 192.168.0.2 -p nfs -sV PORT STATE SERVICE VERSION 2049/udp open nfs (nfs V2-4) 2-4 (rpc #100003) # nmap -sU 192.168.0.2 -p nfs -sV -oX - <service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" highver="4" proto="rpc"/> David Fifield
Thanks for the clarification! One last question, if I may: In your three examples, did the actual network behavior change at all? That is, was the only difference in the output, or was there a difference in the packets that were sent, especially between -sV and -sVR? Thanks, Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Question on --version-intensity and -sR interaction Daniel Miller (Mar 04)
- Re: Question on --version-intensity and -sR interaction Fyodor (Mar 04)
- Re: Question on --version-intensity and -sR interaction Daniel Miller (Mar 04)
- Re: Question on --version-intensity and -sR interaction Fyodor (Mar 04)
- Re: Question on --version-intensity and -sR interaction David Fifield (Mar 12)
- Re: Question on --version-intensity and -sR interaction Daniel Miller (Mar 12)
- Re: Question on --version-intensity and -sR interaction David Fifield (Mar 12)
- Re: Question on --version-intensity and -sR interaction Daniel Miller (Mar 04)
- Re: Question on --version-intensity and -sR interaction Fyodor (Mar 04)