2

I am looking at scanning with nmap a large network in order to

  • identify the OS of devices (-O--osscan-limit)
  • probe for details of a service on a single port (I would have used -sV for all open ports)

The problem is that -sV will probe all the ports (which I do not want to do for performance reasons) and I cannot use -p to limit the ports to the one I am interested in as this impacts the OS fingerprinting. I could not find anything in the manual to limit the service probing.

Thank you for any ideas (including other approaches outside of nmap, though I would prefer to stick to nmap)

WoJ
  • 3,607
  • 9
  • 49
  • 79

1 Answers1

2

You can exclude ports from the service version scan phase by editing the Exclude directive in the nmap-service-probes file. This tells Nmap to avoid sending version probes to a list of ports. By default, TCP 9100-9107 are excluded to avoid printing rubbish characters on PJL-capable printers. To enable only one port (e.g. 80/tcp), use something like this:

Exclude T:0-79,81-65535,U:0-65535

The nmap-service-probes file is found in Nmap's data directory, which is also where it stores NSE scripts and libraries.

bonsaiviking
  • 4,420
  • 17
  • 26
  • Thanks - this is exactly what I was looking for (though nmap would have been better off using a command line switch instaed of the config file as this requires, in practical terms, a separate nmap install for the specific scan) – WoJ Dec 09 '12 at 09:01
  • @WoJ you can make Nmap use a different set of data files with the `--datadir` argument, or the `$NMAPDIR` environment variable, or by overriding any of them with a copy in `$HOME/.nmap` – bonsaiviking Dec 10 '12 at 01:22