Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Implement raw socket support for Version-, script-, and OS-Scanning #1512
by design nmap is using raw sockets mainly during the SYN-Scan phase, which allows the user to modify various parameters like Source-IP, Source-Port, TTL, etc.
However for version detection, script scanning and OS detection nmap uses the usual connect() method, which means that many parameters like
It would be great to have raw socket support for some other scan types. Probably it makes most sense for UDP scans, due to it's stateless nature.
The use case for which this would be helpful could be the following:
To get a valid response, you would need to invoke nmap like this:
However, because sV uses connect(), the source port can't be set to 53 for service probes, and the service could never be identified.
What do you think? Would such a modification make sense, or would this require way too much effort?
Thanks for the suggestion. This is a very tricky thing to do, though, because the source port is an important part of TCP and UDP that is used to identify which conversation the packet belongs to. Nmap is able to set the source port for certain operations because it does not intend on carrying out an extended conversation with the target. It uses the parts of the packet that are intended for that (TCP initial sequence number, etc.) to identify which probe the response was sent to for timing purposes, so they can't be used for their intended purpose. Essentially, there's not enough state left in the packet to keep conversations separate if we force the source port to be the same.
Port scanning and OS detection do use the source port set with