2

I'm trying to determine if it's possible to specify probe types for nmap to use. For example, I want to scan a subnet (say 192.168.0.0/24) and probe every port on every host to see if a web server is running on that port - the goal being to find a service running on unusual ports.

I understand that by default nmap checks the most common probe/port combinations. I also understand that the -sV --version-all option will attempt all probes on all specified ports. However, this is very time consuming, and if I only care about finding webservers running on unusual ports, I don't need to use all available probes. There's got to be a faster way.

Also, I'm relatively new to the StackExchange community; if this question would be better placed in a different community/network, let me know.

SuperStudent
  • 21
  • 2

3 Answers3

1

You can reduce the number of probes sent by using the --version-intensity option and selecting a lower intensity number. In the nmap-service-probes file, each probe has a rarity value, and if the rarity is higher than the intensity, the probe will not be sent (unless it's a particularly important probe for that port number, as indicated by the ports line). The vast majority of HTTP responses are found under the GetRequest and GenericLines probes, which have a rarity of 1. So the simple answer to your question is that this command will find most web servers with a minimum of probes sent:

nmap --version-intensity 1 -sV

You can also use --version-light as a shorthand for --version-intensity 3, which only adds a few extra probes.

Since you're only interested in HTTP servers, which do not have a banner, you can also reduce the amount of time spent waiting for a banner to the NULL probe by editing the nmap-service-probes file and changing the totalwaitms value to something smaller. Once you start making changes to nmap-service-probes, you may decide to take other actions like changing the rarity of all other probes to 9, but be sure you change it back if you expect to use this file for any normal scanning. If you decide to make a custom nmap-service-probes file, you can use the --versiondb option to point to it instead of overwriting the one that ships with Nmap.

bonsaiviking
  • 4,420
  • 17
  • 26
  • How do you edit the rarity of probes in `nmap-service-probes`? – LTPCGO Sep 17 '19 at 03:00
  • @LTPCGO Below the relevant `Probe` line, find the line like `rarity 3` and change `3` or whatever number is there to a higher number. – bonsaiviking Sep 17 '19 at 18:03
  • I have never noticed that bit! Editing the file is certainly the best way to achieve what OP wants, by editing that line, port numbers, and including valid regex for responses indicating a web-server. – LTPCGO Sep 17 '19 at 19:38
1

There is no way to specify exactly the probes in the command line, but you could delete those found in nmap-service-probes except for those you specifically require. Alternatively you could compile your own using the source and editing nmap/service_scan.cc to only process nextProbes where probe->getName() matches a regex similar to http.*

LTPCGO
  • 508
  • 1
  • 3
  • 15
0

Of course nmap can do this - simply read the man page or info page to find out what arguments/switches/options to use.

And yes, this woul d be better off on superuser...

That said, if you use zenmap - a GUI front end for nmap - it lets you make those choices using a GUI, and then shows you the actual command line you would run for plain nmap.

enter image description here

ivanivan
  • 1,488
  • 7
  • 6
  • 2
    The reason I made this post is because I've spent a considerable amount of time reading about nmap's many options and nothing I've read indicates that this is possible. You can specify which ports to scan with -p, but I want to scan for specific services using specific probes. -sV --version-all scans for *all* services using *all* probes, but I want to scan only for a specific service using a specific probe in order to save time. Yes, I'm familiar with Zenmap, but I don't know if it's possible to specify services/probes with Zenmap either. – SuperStudent Sep 13 '19 at 05:40
  • 1
    This answer is quite aggressive and doesn't actually answer the question, OP clearly did research – LTPCGO Sep 17 '19 at 02:58