CODEWITHSUNDEEP
network-programmingscriptingnmap
Louis
Louis

Reputation: 1432

nmap script to loop over source ports

I'm trying to scan a network by rotating source port and targeting one single destination port as per:

for source_port in `seq $start $end`
do
    nmap -sS -p $dest_port --source-port $source_port -P0 $dest_ip
done

the problem is that I'm launching a nmap process every time

nmap seem design to rotate destination ports easily at command line, but for source port, I cannot find a way to specify a range even by using an nmap script (don't know how to access source-port variable in the script)

anyone has an idea?

Thanks

Upvotes: 0

Views: 2391

Answers (1)

bonsaiviking
bonsaiviking

Reputation: 5995

For this task, you may want to use a packet-crafting framework like scapy or PacketFu, since these will let you specify exactly what type of packets to send without requiring a new process to be launched each time.

You could also use a packet-crafting tool like Nping, hping3, or nemesis, but these will also require launching a new process for each probe (as far as I know).

You could do something similar in an Nmap script by using socket:bind to choose a source port for each connect, but you'd have to do a lot of tweaking to get anywhere near the performance of a full Nmap port scan. First, you'd have to parallelize it to send more than one packet at a time, but then you might overload the target or the network and run into congestion problems. Still, it might be worth a shot with a small number (20 or so) of worker threads to speed things up.

To speed up your current method, use -n to skip reverse name resolution. You can parallelize it by starting some of your nmap processes in the background or by using GNU Parallel. You could try to reduce the number of retries with --max-retries, since the default maximum is 10, but a quick test here shows that with -Pn and a single port, Nmap only tries 2 times to reach the port. If you want to get really fancy, you can use --initial-rtt-timeout and --max-rtt-timeout since Nmap is deliberately conservative when it starts, assuming that it will send many packets and get a better idea of network conditions. Scanning one port on one host without host discovery means that it doesn't get a chance to tune itself. If you run ping -c 10 against your target, you can use its last line of output to set these values. For example, if I see:

$ ping -c 10 scanme.nmap.com
PING scanme.nmap.com (74.207.244.221) 56(84) bytes of data.
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=1 ttl=56 time=75.0 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=2 ttl=56 time=75.5 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=3 ttl=56 time=73.9 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=4 ttl=56 time=75.4 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=5 ttl=56 time=74.7 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=6 ttl=56 time=78.9 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=7 ttl=56 time=73.6 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=8 ttl=56 time=79.4 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=9 ttl=56 time=74.8 ms
64 bytes from scanme.nmap.org (74.207.244.221): icmp_req=10 ttl=56 time=75.1 ms

--- scanme.nmap.com ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9012ms
rtt min/avg/max/mdev = 73.646/75.691/79.459/1.857 ms

then I can set --initial-rtt-timeout to avg + 4 * mdev = 83ms to give myself a nice wide margin of 4 standard deviations around the average round trip time. Nmap's default is to wait 1000ms (1 second), so this is quite a big speedup. Set the --max-rtt-timeout to 10 times the initial value just in case.

Upvotes: 1

Related Questions