Tuesday, July 21, 2009

New Nmap Ping Sweep Defaults


(mirrored from carnal0wnage.attackresearch.com)

as a note to self (and anyone who reads the blog)

http://nmap.org/5/#changes

"The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now "-PE -PS443 -PA80 -PP". In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, "-PE -PA80". The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks."

The non-sudo/root versions of the -sP should be noted, it could be enough traffic/ports per second to have some firewalls throw a SYN flood alert if you were to scan several hosts (like a Class C).

wireshark captures:




CG