This is documentation of a project to discover the effectiveness of each of Nmap's ping probes, singly and in combination. The object is to improve the default host discovery if possible.
The general strategy is this: Generate a list of test IP addresses. Run several host discovery scans against the addresses using a single ping probe each time. Make a list showing the most effective single probe, the most effective two-probe combination, and so on. Effectiveness is measured as the number of distinct hosts found up (not counting overlaps). Maybe time taken to scan will also be significant.
Scripts used to do the analysis:
Fyodor and I talked and settled on the following method of generating addresses. Generate addresses with -iR
. Do a whois query on each one to find out the size of the network allocation it belongs to. Discard any that belong to one bigger than a /16.
I modified the whois.nse
script to produce abbreviated output including only the IP address and netblock size. I called the modified script netrange.nse
. Its output looks like
Host 138.73.189.55 is up. Host script results: |_ netrange: 138.73.189.55/16 Host 203.194.111.129 is up. Host script results: |_ netrange: 203.194.111.129/20
I made a trivial modification to the Nmap to allow using -sP
and -PN
together, so that I could script scan the addresses without having to ping them or port scan them.
Index: NmapOps.cc =================================================================== --- NmapOps.cc (revision 13217) +++ NmapOps.cc (working copy) @@ -372,9 +372,11 @@ fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types."); } + /* if ((pingscan && pingtype == PINGTYPE_NONE)) { fatal("-PN (skip ping) is incompatable with -sP (ping scan). If you only want to enumerate hosts, try list scan (-sL)"); } + */ if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) { fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
The output of netrange.nse
is then filtered into an address list with this Awk script (ping-hosts-filter.awk
):
BEGIN { MIN_BITS = 16; } /^\|_ netrange: [1-9]/ { split($3, a, "/"); addr = a[1]; bits = a[2]; if (bits > MIN_BITS) { print addr; } }
I created an address list:
./nmap --datadir . --script=netrange -PN -sP -iR 1000 -n -oN netrange-1.nmap awk -f ping-hosts-filter.awk netrange-1.nmap > ping-hosts-prelim
I think the script scan hit a deadlock around host 995 or so, but it was almost done. After filtering, there were 200 addresses in ping-hosts-prelim
. I then ran the scans with the following options (65 scans in all):
# Note: All scans used the common options: -sP -n -d2 --max-retries 1 -iL ping-hosts No options (default ping) for tcp in 80 23 443 21 22 25 3389 110 445 139 40125 40126 -PS$tcp -PA$tcp for udp in 631 161 137 123 138 31338 40125 40126 -PU$udp -PU$udp --source-port 53 -PU$udp --data-length 24 -PU$udp --source-port 53 --data-length 24 for proto in 1 2 4 6 17 150 -PO$proto -PE -PP -PM
The results were as follows:
65 probes total: -PE 19 86.36% -PO1 18 81.82% -PS80 15 68.18% -PS443 14 63.64% -PS40125 12 54.55% -PS40126 12 54.55% -PS110 12 54.55% -PS25 12 54.55% -PS3389 12 54.55% -PS21 11 50.00% -PS23 11 50.00% -PU40125-sp53-dl24 9 40.91% -PU40125-dl24 9 40.91% -PU31338-sp53-dl24 9 40.91% -PS22 9 40.91% -PU31338-dl24 9 40.91% -PU40126-sp53-dl24 9 40.91% -PU631-dl24 9 40.91% -PU631-sp53-dl24 9 40.91% -PU123-sp53-dl24 9 40.91% -PU631-sp53 8 36.36% -PU40126 8 36.36% -PU40125-sp53 8 36.36% -PU31338 8 36.36% -PO17 8 36.36% -PU137-sp53-dl24 8 36.36% -PU631 8 36.36% -PU123-dl24 8 36.36% -PU123-sp53 8 36.36% -PU123 8 36.36% -PU138-sp53 7 31.82% -PU138-sp53-dl24 7 31.82% -PU40126-sp53 7 31.82% -PU137-sp53 7 31.82% -PU40126-dl24 7 31.82% -PU161-sp53-dl24 7 31.82% -PU161-sp53 7 31.82% -PU40125 7 31.82% -PU138-dl24 7 31.82% -PU31338-sp53 6 27.27% -PU138 6 27.27% -PU161 6 27.27% -PU161-dl24 6 27.27% -PU137-dl24 6 27.27% -PS139 5 22.73% -PU137 5 22.73% -PS445 5 22.73% -PO2 4 18.18% -PP 4 18.18% -PM 2 9.09% -PA445 0 0.00% -PO4 0 0.00% -PO6 0 0.00% -PA80 0 0.00% -PO150 0 0.00% -PA443 0 0.00% -PA40126 0 0.00% -PA40125 0 0.00% -PA3389 0 0.00% -PA25 0 0.00% -PA23 0 0.00% -PA22 0 0.00% -PA21 0 0.00% -PA139 0 0.00% -PA110 0 0.00% Culled 63 probes. Maximum possible using 2 remaining probes: 22. === 1 probe * -PE; size 19, 86.36% -PS80; size 15, 68.18% === 2 probes * -PE -PS80; size 22, 100.00%
The script kept running, but in this case we can see that we will never get better than the two-probe combination -PE -PS80
.
This test was done on a connection that filters ACK probes. For the larger tests I'm going to run scans from several locations.
These are combined results of scans from four separate network locations.
Maximum possible using all 65 probes: 8883. -PE 5752 64.75% -PO1 5699 64.16% -PS443 4028 45.35% -PS80 3956 44.53% -PS110 3724 41.92% -PS21 3697 41.62% -PS22 3626 40.82% -PS3389 3484 39.22% -PS40125 3336 37.55% -PS40126 3334 37.53% -PP 3290 37.04% -PS23 3259 36.69% -PA80 3033 34.14% -PA443 2992 33.68% -PU40125-sp53-dl24 2896 32.60% -PU40126-sp53-dl24 2885 32.48% -PA110 2864 32.24% -PA3389 2852 32.11% -PA21 2836 31.93% -PA22 2832 31.88% -PO6 2822 31.77% -PA40125 2820 31.75% -PU31338-sp53-dl24 2819 31.73% -PA40126 2815 31.69% -PA23 2707 30.47% -PU631-sp53-dl24 2703 30.43% -PU40125-sp53 2700 30.40% -PU40126-sp53 2688 30.26% -PU40125-dl24 2681 30.18% -PU40126-dl24 2661 29.96% -PU31338-sp53 2634 29.65% -PS25 2631 29.62% -PU31338-dl24 2584 29.09% -PU631-dl24 2555 28.76% -PU631-sp53 2497 28.11% -PU40125 2490 28.03% -PU40126 2473 27.84% -PU31338 2411 27.14% -PO17 2379 26.78% -PU631 2328 26.21% -PU123-sp53-dl24 2173 24.46% -PU123-dl24 2084 23.46% -PS445 2053 23.11% -PS139 2000 22.51% -PU123-sp53 1927 21.69% -PU123 1838 20.69% -PA25 1784 20.08% -PA445 1727 19.44% -PU138-sp53-dl24 1697 19.10% -PA139 1687 18.99% -PU161-sp53 1681 18.92% -PU161-sp53-dl24 1678 18.89% -PU137-sp53-dl24 1665 18.74% -PU138-dl24 1617 18.20% -PU161-dl24 1587 17.87% -PU137-dl24 1575 17.73% -PU161 1571 17.69% -PU138-sp53 1509 16.99% -PU137-sp53 1483 16.69% -PU138 1422 16.01% -PU137 1403 15.79% -PO2 887 9.99% -PO150 706 7.95% -PO4 587 6.61% -PM 358 4.03% === 1 probe * -PE; size 5752, 64.75% -PO1; size 5699, 64.16% -PS443; size 4028, 45.35% -PS80; size 3956, 44.53% -PS110; size 3724, 41.92% -PS21; size 3697, 41.62% -PS22; size 3626, 40.82% -PS3389; size 3484, 39.22% -PS40125; size 3336, 37.55% -PS40126; size 3334, 37.53% === 2 probes * -PE -PS443; size 6935, 78.07% -PO1 -PS443; size 6896, 77.63% -PE -PS80; size 6874, 77.38% -PO1 -PS80; size 6831, 76.90% -PE -PS21; size 6804, 76.60% -PE -PS110; size 6765, 76.16% -PE -PS22; size 6762, 76.12% -PO1 -PS21; size 6760, 76.10% -PE -PA80; size 6746, 75.94% -PO1 -PS110; size 6724, 75.70% === 3 probes * -PE -PS443 -PA80; size 7482, 84.23% -PO1 -PS443 -PA80; size 7443, 83.79% -PE -PS443 -PP; size 7427, 83.61% -PE -PS443 -PA3389; size 7426, 83.60% -PO1 -PS443 -PP; size 7423, 83.56% -PE -PS443 -PA110; size 7395, 83.25% -PE -PS21 -PA80; size 7395, 83.25% -PE -PS443 -PA22; size 7391, 83.20% -PO1 -PS443 -PA3389; size 7390, 83.19% -PE -PS443 -PA40125; size 7388, 83.17% === 4 probes * -PE -PS443 -PP -PA80; size 7902, 88.96% -PO1 -PS443 -PP -PA80; size 7893, 88.86% -PE -PS443 -PP -PA3389; size 7881, 88.72% -PO1 -PS443 -PP -PA3389; size 7875, 88.65% -PE -PS443 -PP -PA110; size 7851, 88.38% -PE -PS443 -PP -PA22; size 7847, 88.34% -PO1 -PS443 -PP -PA110; size 7844, 88.30% -PE -PS443 -PP -PA40125; size 7842, 88.28% -PE -PS443 -PP -PA40126; size 7842, 88.28% -PE -PS443 -PP -PA21; size 7840, 88.26% === 5 probes * -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8160, 91.86% * -PE -PS443 -PP -PA80 -PU40125-sp53; size 8160, 91.86% -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8149, 91.74% -PE -PS443 -PP -PA80 -PU40126-sp53; size 8149, 91.74% -PO1 -PS443 -PP -PA80 -PU40125-sp53; size 8131, 91.53% -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8129, 91.51% -PO1 -PS443 -PP -PA80 -PU40126-sp53; size 8123, 91.44% -PE -PS443 -PP -PU40125-sp53-dl24 -PA3389; size 8122, 91.43% -PE -PS443 -PP -PA3389 -PU40125-sp53; size 8119, 91.40% -PE -PS443 -PP -PU40126-sp53-dl24 -PA3389; size 8115, 91.35%
These are the results of scanning the exact same hosts as before, this time only the UDP ports 53, 123, 135, 137, 161, 500, and 1434. The ping probes were sent with payloads taken from nmap-service-probes
. These results were then folded into previous results. The new probes have payload
in their names.
There were 762 extra hosts found across the two rounds and four network locations (9625 vs. 8883). Use caution when comparing percentages to those above; these are out of 9625 where those were out of 8883.
The best individual UDP probes are still those to a random high port, with a source port of 53 and a non-empty payload. Even without the source port and payload, the ports 40125 and 40126 that I picked out of the air are better choices than the current default of 31338, finding around 400 additional hosts.
The best probe combinations for 1 and 2 probes are the same as before: -PE
and -PE -PS443
. Our current default -PE -PA80
is in the top ten for two-probe pings. After that the results are different: combining -PE -PS443
with UDP to port 53 with a DNS payload and a source port of 53 finds 116 additional hosts compared with -PE -PS443 -PA80
. Actually, the results are as above, just lagged by one place because of the new -PU53
probe; the next probes to be added are -PA80
and -PP
.
Maximum possible using all 79 probes: 9625. -PE 5752 59.76% -PO1 5699 59.21% -PS443 4028 41.85% -PS80 3956 41.10% -PS110 3724 38.69% -PS21 3697 38.41% -PS22 3626 37.67% -PS3389 3484 36.20% -PS40125 3336 34.66% -PS40126 3334 34.64% -PP 3290 34.18% -PS23 3259 33.86% -PA80 3033 31.51% -PA443 2992 31.09% -PU40125-sp53-dl24 2896 30.09% -PU40126-sp53-dl24 2885 29.97% -PA110 2864 29.76% -PA3389 2852 29.63% -PA21 2836 29.46% -PA22 2832 29.42% -PO6 2822 29.32% -PA40125 2820 29.30% -PU31338-sp53-dl24 2819 29.29% -PA40126 2815 29.25% -PA23 2707 28.12% -PU631-sp53-dl24 2703 28.08% -PU40125-sp53 2700 28.05% -PU40126-sp53 2688 27.93% -PU40125-dl24 2681 27.85% -PU40126-dl24 2661 27.65% -PU31338-sp53 2634 27.37% -PS25 2631 27.34% -PU123-payload-sp53 2627 27.29% -PU31338-dl24 2584 26.85% -PU53-payload-sp53 2564 26.64% -PU123-payload 2555 26.55% -PU631-dl24 2555 26.55% -PU53-payload 2507 26.05% -PU631-sp53 2497 25.94% -PU40125 2490 25.87% -PU40126 2473 25.69% -PU31338 2411 25.05% -PO17 2379 24.72% -PU631 2328 24.19% -PU1434-payload-sp53 2312 24.02% -PU500-payload-sp53 2247 23.35% -PU123-sp53-dl24 2173 22.58% -PU500-payload 2159 22.43% -PU1434-payload 2144 22.28% -PU123-dl24 2084 21.65% -PS445 2053 21.33% -PS139 2000 20.78% -PU161-payload-sp53 1934 20.09% -PU123-sp53 1927 20.02% -PU123 1838 19.10% -PU161-payload 1785 18.55% -PA25 1784 18.54% -PA445 1727 17.94% -PU135-payload-sp53 1708 17.75% -PU138-sp53-dl24 1697 17.63% -PA139 1687 17.53% -PU161-sp53 1681 17.46% -PU161-sp53-dl24 1678 17.43% -PU137-sp53-dl24 1665 17.30% -PU137-payload-sp53 1650 17.14% -PU138-dl24 1617 16.80% -PU135-payload 1613 16.76% -PU161-dl24 1587 16.49% -PU137-dl24 1575 16.36% -PU161 1571 16.32% -PU137-payload 1550 16.10% -PU138-sp53 1509 15.68% -PU137-sp53 1483 15.41% -PU138 1422 14.77% -PU137 1403 14.58% -PO2 887 9.22% -PO150 706 7.34% -PO4 587 6.10% -PM 358 3.72% === 1 probe * -PE; size 5752, 59.76% -PO1; size 5699, 59.21% -PS443; size 4028, 41.85% -PS80; size 3956, 41.10% -PS110; size 3724, 38.69% -PS21; size 3697, 38.41% -PS22; size 3626, 37.67% -PS3389; size 3484, 36.20% -PS40125; size 3336, 34.66% -PS40126; size 3334, 34.64% === 2 probes * -PS443 -PE; size 6935, 72.05% -PS443 -PO1; size 6896, 71.65% -PS80 -PE; size 6874, 71.42% -PS80 -PO1; size 6831, 70.97% -PS21 -PE; size 6804, 70.69% -PS110 -PE; size 6765, 70.29% -PS22 -PE; size 6762, 70.25% -PS21 -PO1; size 6760, 70.23% -PA80 -PE; size 6746, 70.09% -PS110 -PO1; size 6724, 69.86% === 3 probes * -PU53-payload-sp53 -PS443 -PE; size 7598, 78.94% -PU53-payload-sp53 -PS443 -PO1; size 7559, 78.54% -PU53-payload-sp53 -PS80 -PE; size 7539, 78.33% -PU123-payload-sp53 -PS443 -PE; size 7538, 78.32% -PU123-payload-sp53 -PS443 -PO1; size 7502, 77.94% -PU53-payload-sp53 -PS80 -PO1; size 7496, 77.88% -PU123-payload-sp53 -PS80 -PE; size 7486, 77.78% -PA80 -PS443 -PE; size 7482, 77.74% -PU53-payload-sp53 -PS21 -PE; size 7454, 77.44% -PU53-payload -PS443 -PE; size 7447, 77.37% === 4 probes * -PU53-payload-sp53 -PA80 -PS443 -PE; size 8103, 84.19% -PU123-payload-sp53 -PA80 -PS443 -PE; size 8064, 83.78% -PU53-payload-sp53 -PA80 -PS443 -PO1; size 8062, 83.76% -PU53-payload-sp53 -PA3389 -PS443 -PE; size 8040, 83.53% -PU53-payload-sp53 -PP -PS443 -PE; size 8031, 83.44% -PU123-payload-sp53 -PA80 -PS443 -PO1; size 8026, 83.39% -PU53-payload-sp53 -PP -PS443 -PO1; size 8023, 83.36% -PU53-payload-sp53 -PA110 -PS443 -PE; size 8009, 83.21% -PU53-payload-sp53 -PA40125 -PS443 -PE; size 8003, 83.15% -PU53-payload-sp53 -PA21 -PS443 -PE; size 8002, 83.14% === 5 probes * -PU53-payload-sp53 -PA80 -PP -PS443 -PE; size 8487, 88.18% -PU53-payload-sp53 -PA80 -PP -PS443 -PO1; size 8474, 88.04% -PU53-payload-sp53 -PA3389 -PP -PS443 -PE; size 8459, 87.89% -PU123-payload-sp53 -PA80 -PP -PS443 -PE; size 8458, 87.88% -PU53-payload-sp53 -PA3389 -PP -PS443 -PO1; size 8450, 87.79% -PU123-payload-sp53 -PA80 -PP -PS443 -PO1; size 8447, 87.76% -PU53-payload-sp53 -PA110 -PP -PS443 -PE; size 8429, 87.57% -PU123-payload-sp53 -PA3389 -PP -PS443 -PE; size 8422, 87.50% -PU53-payload-sp53 -PA21 -PP -PS443 -PE; size 8422, 87.50% -PU53-payload-sp53 -PA22 -PP -PS443 -PE; size 8422, 87.50% === 6 probes When I killed the script, the best 6-probe combination was -PU53-payload-sp53 -PA3389 -PP -PS80 -PS443 -PE; size 8669, 90.07% === 7 probes When I killed the script, the best 7-probe combination was -PU161-payload-sp53 -PU53-payload-sp53 -PA3389 -PP -PS80 -PS443 -PE; size 8847, 91.92%
One of the four scanning hosts above filters outgoing ACK packets, so all the -PA
probes find 0 hosts. I was curious whether -PS443
would continue to be better than -PA80
in the absence of this filtering. I ran another analysis, excluding the filtered host. -PE -PA80
became the best two-probe combination. -PE -PS443
is still in the top ten, but finds 128 fewer hosts.
Maximum possible using all 79 probes: 7276. -PE 4364 59.98% -PO1 4320 59.37% -PS443 3064 42.11% -PA80 3033 41.68% -PS80 3018 41.48% -PA443 2992 41.12% -PA110 2864 39.36% -PA3389 2852 39.20% -PA21 2836 38.98% -PS110 2834 38.95% -PA22 2832 38.92% -PO6 2822 38.79% -PA40125 2820 38.76% -PS21 2817 38.72% -PA40126 2815 38.69% -PS22 2767 38.03% -PA23 2707 37.20% -PS3389 2670 36.70% -PS40125 2567 35.28% -PS40126 2561 35.20% -PP 2530 34.77% -PS23 2486 34.17% -PU40125-sp53-dl24 2209 30.36% -PU40126-sp53-dl24 2206 30.32% -PU31338-sp53-dl24 2153 29.59% -PU40125-dl24 2076 28.53% -PU40125-sp53 2066 28.39% -PU631-sp53-dl24 2059 28.30% -PU40126-dl24 2059 28.30% -PU40126-sp53 2058 28.28% -PU31338-sp53 2015 27.69% -PU31338-dl24 2011 27.64% -PU123-payload-sp53 1972 27.10% -PU631-dl24 1960 26.94% -PU53-payload-sp53 1948 26.77% -PU123-payload 1938 26.64% -PU40125 1915 26.32% -PU53-payload 1906 26.20% -PU40126 1905 26.18% -PU631-sp53 1903 26.15% -PU31338 1863 25.60% -PO17 1832 25.18% -PS25 1791 24.62% -PA25 1784 24.52% -PU631 1783 24.51% -PU1434-payload-sp53 1731 23.79% -PA445 1727 23.74% -PU500-payload-sp53 1702 23.39% -PA139 1687 23.19% -PU123-sp53-dl24 1684 23.14% -PU500-payload 1638 22.51% -PU1434-payload 1625 22.33% -PU123-dl24 1616 22.21% -PS445 1567 21.54% -PS139 1524 20.95% -PU123-sp53 1483 20.38% -PU161-payload-sp53 1451 19.94% -PU123 1421 19.53% -PU161-payload 1352 18.58% -PU135-payload-sp53 1301 17.88% -PU138-sp53-dl24 1291 17.74% -PU161-sp53-dl24 1277 17.55% -PU161-sp53 1272 17.48% -PU137-sp53-dl24 1267 17.41% -PU137-payload-sp53 1246 17.12% -PU161-dl24 1234 16.96% -PU138-dl24 1231 16.92% -PU135-payload 1228 16.88% -PU161 1223 16.81% -PU137-dl24 1218 16.74% -PU137-payload 1182 16.25% -PU138-sp53 1155 15.87% -PU137-sp53 1139 15.65% -PU138 1097 15.08% -PU137 1086 14.93% -PO150 706 9.70% -PO2 682 9.37% -PO4 587 8.07% -PM 279 3.83% === 1 probe * -PE; size 4364, 59.98% -PO1; size 4320, 59.37% -PS443; size 3064, 42.11% -PA80; size 3033, 41.68% -PS80; size 3018, 41.48% -PA443; size 2992, 41.12% -PA110; size 2864, 39.36% -PA3389; size 2852, 39.20% -PA21; size 2836, 38.98% -PS110; size 2834, 38.95% === 2 probes * -PA80 -PE; size 5358, 73.64% -PA80 -PO1; size 5320, 73.12% -PA443 -PE; size 5309, 72.97% -PA443 -PO1; size 5274, 72.48% -PA21 -PE; size 5237, 71.98% -PA3389 -PE; size 5234, 71.94% -PA22 -PE; size 5232, 71.91% -PS443 -PE; size 5230, 71.88% -PA110 -PE; size 5219, 71.73% -PA21 -PO1; size 5204, 71.52% === 3 probes * -PU53-payload-sp53 -PA80 -PE; size 5847, 80.36% -PU123-payload-sp53 -PA80 -PE; size 5823, 80.03% -PU53-payload-sp53 -PA80 -PO1; size 5812, 79.88% -PU53-payload-sp53 -PA443 -PE; size 5794, 79.63% -PU123-payload-sp53 -PA80 -PO1; size 5787, 79.54% -PA80 -PS443 -PE; size 5777, 79.40% -PU123-payload-sp53 -PA443 -PE; size 5771, 79.32% -PU123-payload -PA80 -PE; size 5765, 79.23% -PU1434-payload-sp53 -PA80 -PE; size 5762, 79.19% -PU53-payload-sp53 -PA443 -PO1; size 5762, 79.19%
Given a family F of sets and nonnegative integers n and k, is there a subfamily of F of size at most k whose union has size at least n?
First, Subset Union is in NP. Given a subset S of F, we can in polynomial time verify that the size of S does not exceed k and that the size of the union of all of S is at least n.
We now show that Set Cover is reducible in polynomial time to Subset Union. Given an instance of Set Cover, construct a family F using the sets of set cover. Let k be the desired number of sets from Set Cover, and set n to the size of the the family U in set cover.
Now, a set is covered by a subfamily of size at most k if and only if there is a subset union of F of size at most k whose union has size at least n. If a set is covered by a subfamily of size at most k, then the union of the subfamily has the same size as the set; i.e., n. If there is a subset union of F of size at most k whose union has size at least n, then the subfamily of F also covers U, which has n elements. ∎
This was a large scan using 90 different ping probes, including all those tested so far, plus additional payloads for DNS and SNMP, and -PY
ping from the SCTP branch. This scan was done on the same 6,492 addresses on the same four scanning hosts.
Surprisingly, the UDP payload probes did not do as well this time. Before, port 53 with a payload was in the best combination for 3 probes; this time not probe with a payload even placed in the top ten. They do appear among the top results for 5 and 6 probes.
For some reason, fewer hosts were found overall this time around (9023 vs. 9625), even with the additional probes. I guess that is because of network variance over the past 15 days. Another possibility is that merging the SCTP changes affected other aspects of scanning somehow. Even the normal probes like -PE and -PS were decreased in this round.
Maximum possible using all 90 probes: 9023. -PE 5553 61.54% -PO1 5500 60.96% -PS443 3914 43.38% -PS80 3751 41.57% -PS110 3571 39.58% -PS21 3491 38.69% -PS22 3412 37.81% -PS3389 3315 36.74% -PP 3213 35.61% -PS40125 3190 35.35% -PS40126 3175 35.19% -PS23 3087 34.21% -PA80 2899 32.13% -PA443 2881 31.93% -PU40125-sp53-dl24 2727 30.22% -PA110 2723 30.18% -PU40126-sp53-dl24 2708 30.01% -PA3389 2708 30.01% -PA40125 2685 29.76% -PA40126 2675 29.65% -PA22 2672 29.61% -PO6 2666 29.55% -PA21 2654 29.41% -PU31338-sp53-dl24 2641 29.27% -PS25 2582 28.62% -PA23 2581 28.60% -PU123-payload1-sp53 2570 28.48% -PU631-sp53-dl24 2561 28.38% -PU40125-sp53 2531 28.05% -PU40126-sp53 2529 28.03% -PU40125-dl24 2510 27.82% -PU40126-dl24 2506 27.77% -PU123-payload1 2490 27.60% -PU53-payload2-sp53 2471 27.39% -PU53-payload2 2453 27.19% -PU31338-sp53 2450 27.15% -PU31338-dl24 2420 26.82% -PU53-payload1-sp53 2404 26.64% -PU631-dl24 2376 26.33% -PU631-sp53 2370 26.27% -PU53-payload1 2349 26.03% -PU1434-payload1-sp53 2329 25.81% -PU161-payload2-sp53 2326 25.78% -PU40125 2320 25.71% -PU40126 2304 25.53% -PU500-payload1-sp53 2270 25.16% -PO17 2232 24.74% -PU31338 2223 24.64% -PU1434-payload1 2189 24.26% -PY 2186 24.23% -PU161-payload2 2185 24.22% -PU631 2184 24.20% -PU500-payload1 2180 24.16% -PU53-sp53-dl24 2156 23.89% -PU53-sp53 2110 23.38% -PU53-dl24 2082 23.07% -PU123-sp53-dl24 2018 22.37% -PS445 2010 22.28% -PU123-dl24 1978 21.92% -PU53 1955 21.67% -PS139 1945 21.56% -PU161-payload1-sp53 1911 21.18% -PU123-sp53 1835 20.34% -PU161-payload1 1789 19.83% -PU123 1723 19.10% -PA25 1721 19.07% -PA445 1682 18.64% -PU135-payload1-sp53 1651 18.30% -PU135-payload2-sp53 1643 18.21% -PA139 1619 17.94% -PU161-sp53 1605 17.79% -PU161-sp53-dl24 1597 17.70% -PU137-payload1-sp53 1596 17.69% -PU135-payload2 1545 17.12% -PU135-payload1 1542 17.09% -PU138-sp53-dl24 1536 17.02% -PU137-sp53-dl24 1514 16.78% -PU137-payload1 1497 16.59% -PU161-dl24 1481 16.41% -PU161 1481 16.41% -PU138-dl24 1456 16.14% -PU137-dl24 1424 15.78% -PU138-sp53 1377 15.26% -PU137-sp53 1345 14.91% -PU138 1293 14.33% -PU137 1260 13.96% -PO2 792 8.78% -PO150 605 6.71% -PO4 482 5.34% -PM 368 4.08% === 1 probe; found in 0:00:00. * -PE; size 5553, 61.54% -PO1; size 5500, 60.96% -PS443; size 3914, 43.38% -PS80; size 3751, 41.57% -PS110; size 3571, 39.58% -PS21; size 3491, 38.69% -PS22; size 3412, 37.81% -PS3389; size 3315, 36.74% -PP; size 3213, 35.61% -PS40125; size 3190, 35.35% === 2 probes; found in 0:00:00. * -PE -PS443; size 6777, 75.11% -PO1 -PS443; size 6724, 74.52% -PE -PS80; size 6663, 73.84% -PO1 -PS80; size 6609, 73.25% -PE -PS21; size 6605, 73.20% -PE -PS110; size 6580, 72.92% -PE -PA80; size 6567, 72.78% -PO1 -PS21; size 6554, 72.64% -PE -PS22; size 6544, 72.53% -PO1 -PS110; size 6520, 72.26% === 3 probes; found in 0:00:01. * -PE -PS443 -PA80; size 7318, 81.10% -PE -PS443 -PP; size 7311, 81.03% -PO1 -PS443 -PP; size 7277, 80.65% -PO1 -PS443 -PA80; size 7264, 80.51% -PE -PS443 -PA3389; size 7241, 80.25% -PE -PS443 -PA110; size 7228, 80.11% -PE -PS21 -PA80; size 7225, 80.07% -PE -PS443 -PA21; size 7220, 80.02% -PE -PS443 -PA40125; size 7219, 80.01% -PE -PS443 -PA40126; size 7216, 79.97% === 4 probes; found in 0:00:13. * -PE -PS443 -PP -PA80; size 7778, 86.20% -PO1 -PS443 -PP -PA80; size 7745, 85.84% -PE -PS443 -PP -PA3389; size 7735, 85.73% -PE -PS443 -PP -PA110; size 7722, 85.58% -PE -PS443 -PP -PA21; size 7714, 85.49% -PE -PS443 -PP -PA40125; size 7713, 85.48% -PE -PS443 -PP -PA40126; size 7710, 85.45% -PE -PS443 -PP -PA22; size 7705, 85.39% -PO1 -PS443 -PP -PA3389; size 7703, 85.37% -PE -PS443 -PP -PO6; size 7700, 85.34% === 5 probes; found in 0:04:00. * -PO1 -PS443 -PP -PA80 -PY; size 8028, 88.97% -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8005, 88.72% -PE -PS443 -PP -PA80 -PU40125-sp53; size 8005, 88.72% -PE -PS443 -PP -PA80 -PU161-payload2-sp53; size 8005, 88.72% -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8004, 88.71% -PE -PS443 -PP -PA80 -PU53-payload1-sp53; size 8001, 88.67% -PE -PS443 -PP -PA80 -PY; size 8000, 88.66% -PE -PS443 -PP -PA80 -PU53-payload2-sp53; size 8000, 88.66% -PE -PS443 -PP -PA80 -PU40126-sp53; size 7996, 88.62% -PO1 -PS443 -PP -PA3389 -PY; size 7977, 88.41% === 6 probes; found in 0:56:43. * -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24 -PY; size 8214, 91.03% -PO1 -PS443 -PP -PA80 -PU40126-sp53-dl24 -PY; size 8211, 91.00% -PO1 -PS443 -PP -PA80 -PU40125-sp53 -PY; size 8211, 91.00% -PO1 -PS443 -PP -PA80 -PU40126-sp53 -PY; size 8207, 90.96% -PO1 -PS443 -PP -PA80 -PU53-payload1-sp53 -PY; size 8203, 90.91% -PO1 -PS443 -PP -PA80 -PU53-payload2-sp53 -PY; size 8200, 90.88% -PE -PS443 -PP -PA80 -PU40125-sp53 -PY; size 8188, 90.75% -PE -PS443 -PP -PA80 -PU40126-sp53-dl24 -PY; size 8187, 90.73% -PE -PS443 -PP -PA80 -PU40125-sp53-dl24 -PY; size 8187, 90.73% -PE -PS443 -PP -PA80 -PU53-payload1-sp53 -PY; size 8184, 90.70% === 7 probes When I killed the script, the best was -PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53 -PY (8337).
Here are the results without the host that filters ACKs.
Maximum possible using all 90 probes: 6768. -PE 4185 61.84% -PO1 4145 61.24% -PS443 2959 43.72% -PA80 2899 42.83% -PA443 2881 42.57% -PS80 2845 42.04% -PA110 2723 40.23% -PA3389 2708 40.01% -PS110 2707 40.00% -PA40125 2685 39.67% -PA40126 2675 39.52% -PA22 2672 39.48% -PO6 2666 39.39% -PS21 2654 39.21% -PA21 2654 39.21% -PS22 2596 38.36% -PA23 2581 38.14% -PS3389 2512 37.12% -PP 2456 36.29% -PS40125 2419 35.74% -PS40126 2409 35.59% -PS23 2344 34.63% -PU40125-sp53-dl24 2088 30.85% -PU40126-sp53-dl24 2064 30.50% -PU31338-sp53-dl24 2007 29.65% -PU631-sp53-dl24 1946 28.75% -PU123-payload1-sp53 1943 28.71% -PU40125-sp53 1936 28.61% -PU40126-sp53 1932 28.55% -PU40125-dl24 1919 28.35% -PU40126-dl24 1912 28.25% -PU123-payload1 1899 28.06% -PU53-payload2-sp53 1878 27.75% -PU53-payload2 1875 27.70% -PU31338-sp53 1866 27.57% -PU31338-dl24 1853 27.38% -PU53-payload1-sp53 1820 26.89% -PU631-dl24 1819 26.88% -PU631-sp53 1803 26.64% -PU53-payload1 1797 26.55% -PU1434-payload1-sp53 1769 26.14% -PU40125 1767 26.11% -PU40126 1764 26.06% -PU161-payload2-sp53 1753 25.90% -PS25 1748 25.83% -PU500-payload1-sp53 1722 25.44% -PA25 1721 25.43% -PU31338 1698 25.09% -PO17 1697 25.07% -PA445 1682 24.85% -PU1434-payload1 1678 24.79% -PU161-payload2 1667 24.63% -PU500-payload1 1665 24.60% -PU631 1655 24.45% -PY 1644 24.29% -PA139 1619 23.92% -PU53-sp53-dl24 1618 23.91% -PU53-sp53 1604 23.70% -PU53-dl24 1581 23.36% -PS445 1542 22.78% -PU123-sp53-dl24 1539 22.74% -PU123-dl24 1518 22.43% -PU53 1487 21.97% -PS139 1473 21.76% -PU161-payload1-sp53 1454 21.48% -PU123-sp53 1398 20.66% -PU161-payload1 1373 20.29% -PU123 1326 19.59% -PU135-payload2-sp53 1252 18.50% -PU135-payload1-sp53 1252 18.50% -PU161-sp53 1227 18.13% -PU161-sp53-dl24 1215 17.95% -PU137-payload1-sp53 1214 17.94% -PU135-payload2 1186 17.52% -PU135-payload1 1183 17.48% -PU138-sp53-dl24 1163 17.18% -PU137-sp53-dl24 1148 16.96% -PU137-payload1 1145 16.92% -PU161-dl24 1141 16.86% -PU161 1138 16.81% -PU138-dl24 1107 16.36% -PU137-dl24 1081 15.97% -PU138-sp53 1037 15.32% -PU137-sp53 1021 15.09% -PU138 975 14.41% -PU137 968 14.30% -PO2 609 9.00% -PO150 605 8.94% -PO4 482 7.12% -PM 282 4.17% === 1 probe; found in 0:00:00. * -PE; size 4185, 61.84% -PO1; size 4145, 61.24% -PS443; size 2959, 43.72% -PA80; size 2899, 42.83% -PA443; size 2881, 42.57% -PS80; size 2845, 42.04% -PA110; size 2723, 40.23% -PA3389; size 2708, 40.01% -PS110; size 2707, 40.00% -PA40125; size 2685, 39.67% === 2 probes; found in 0:00:00. * -PE -PA80; size 5199, 76.82% -PO1 -PA80; size 5163, 76.29% -PE -PA443; size 5145, 76.02% -PO1 -PA443; size 5110, 75.50% -PE -PS443; size 5075, 74.99% -PE -PA21; size 5057, 74.72% -PE -PA22; size 5049, 74.60% -PO1 -PS443; size 5048, 74.59% -PE -PA3389; size 5046, 74.56% -PE -PA110; size 5046, 74.56% === 3 probes; found in 0:00:00. * -PE -PS443 -PA80; size 5616, 82.98% -PO1 -PS443 -PA80; size 5588, 82.57% -PE -PA80 -PS21; size 5578, 82.42% -PE -PA80 -PS110; size 5555, 82.08% -PO1 -PA80 -PS21; size 5542, 81.89% -PE -PS443 -PA3389; size 5539, 81.84% -PE -PA80 -PS22; size 5534, 81.77% -PE -PA80 -PP; size 5527, 81.66% -PE -PS443 -PA110; size 5526, 81.65% -PO1 -PA80 -PS110; size 5525, 81.63% === 4 probes; found in 0:00:11. * -PE -PS443 -PA80 -PP; size 5938, 87.74% -PO1 -PS443 -PA80 -PP; size 5921, 87.49% -PE -PA80 -PS21 -PP; size 5899, 87.16% -PE -PS443 -PA3389 -PP; size 5895, 87.10% -PE -PS443 -PA110 -PP; size 5882, 86.91% -PO1 -PS443 -PA3389 -PP; size 5879, 86.86% -PO1 -PA80 -PS21 -PP; size 5876, 86.82% -PE -PA80 -PS110 -PP; size 5875, 86.81% -PE -PS443 -PA21 -PP; size 5874, 86.79% -PE -PS443 -PA40125 -PP; size 5873, 86.78% === 5 probes; found in 0:03:07. * -PO1 -PS443 -PA80 -PP -PY; size 6121, 90.44% -PE -PS443 -PA80 -PP -PU161-payload2-sp53; size 6106, 90.22% -PE -PS443 -PA80 -PP -PY; size 6105, 90.20% -PE -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6105, 90.20% -PE -PS443 -PA80 -PP -PU40125-sp53; size 6104, 90.19% -PE -PS443 -PA80 -PP -PU53-payload2-sp53; size 6103, 90.17% -PE -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6103, 90.17% -PE -PS443 -PA80 -PP -PU53-payload1-sp53; size 6100, 90.13% -PE -PS443 -PA80 -PP -PU40126-sp53; size 6099, 90.12% -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6089, 89.97% === 6 probes; found in 0:44:07. * -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24 -PY; size 6257, 92.45% -PO1 -PS443 -PA80 -PP -PU40125-sp53 -PY; size 6255, 92.42% -PO1 -PS443 -PA80 -PP -PU40126-sp53-dl24 -PY; size 6254, 92.41% -PO1 -PS443 -PA80 -PP -PU40126-sp53 -PY; size 6252, 92.38% -PO1 -PS443 -PA80 -PP -PU53-payload2-sp53 -PY; size 6249, 92.33% -PO1 -PS443 -PA80 -PP -PU53-payload1-sp53 -PY; size 6248, 92.32% -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PY; size 6241, 92.21% -PE -PS443 -PA80 -PP -PU40125-sp53 -PY; size 6240, 92.20% -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PY; size 6239, 92.18% -PE -PS443 -PA80 -PP -PU40126-sp53-dl24 -PY; size 6239, 92.18% === 7 probes; found in 8:56:44. * -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PY; size 6338, 93.65% * -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53 -PY; size 6338, 93.65% -PO1 -PS443 -PS80 -PA3389 -PP -PU40126-sp53-dl24 -PY; size 6335, 93.60% -PO1 -PS443 -PS80 -PA3389 -PP -PU40126-sp53 -PY; size 6335, 93.60% -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY; size 6330, 93.53% -PO1 -PS443 -PS80 -PA21 -PP -PU40125-sp53-dl24 -PY; size 6329, 93.51% -PO1 -PS443 -PS80 -PA3389 -PP -PU53-payload2-sp53 -PY; size 6328, 93.50% -PO1 -PS443 -PS80 -PA21 -PP -PU40125-sp53 -PY; size 6328, 93.50% -PO1 -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2-sp53 -PY; size 6328, 93.50% -PO1 -PS443 -PS80 -PA3389 -PP -PU53-payload1-sp53 -PY; size 6326, 93.47% === 8 probes When I killed the script, the best was -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY (6410). === 9 probes When I killed the script, the best was -PE -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY (6428).
The -PY
SCTP ping joins the best combinations at size 5. Here are the results without it.
Maximum possible using all 89 probes: 8925. -PE 5553 62.22% -PO1 5500 61.62% -PS443 3914 43.85% -PS80 3751 42.03% -PS110 3571 40.01% -PS21 3491 39.11% -PS22 3412 38.23% -PS3389 3315 37.14% -PP 3213 36.00% -PS40125 3190 35.74% -PS40126 3175 35.57% -PS23 3087 34.59% -PA80 2899 32.48% -PA443 2881 32.28% -PU40125-sp53-dl24 2727 30.55% -PA110 2723 30.51% -PU40126-sp53-dl24 2708 30.34% -PA3389 2708 30.34% -PA40125 2685 30.08% -PA40126 2675 29.97% -PA22 2672 29.94% -PO6 2666 29.87% -PA21 2654 29.74% -PU31338-sp53-dl24 2641 29.59% -PS25 2582 28.93% -PA23 2581 28.92% -PU123-payload1-sp53 2570 28.80% -PU631-sp53-dl24 2561 28.69% -PU40125-sp53 2531 28.36% -PU40126-sp53 2529 28.34% -PU40125-dl24 2510 28.12% -PU40126-dl24 2506 28.08% -PU123-payload1 2490 27.90% -PU53-payload2-sp53 2471 27.69% -PU53-payload2 2453 27.48% -PU31338-sp53 2450 27.45% -PU31338-dl24 2420 27.11% -PU53-payload1-sp53 2404 26.94% -PU631-dl24 2376 26.62% -PU631-sp53 2370 26.55% -PU53-payload1 2349 26.32% -PU1434-payload1-sp53 2329 26.10% -PU161-payload2-sp53 2326 26.06% -PU40125 2320 25.99% -PU40126 2304 25.82% -PU500-payload1-sp53 2270 25.43% -PO17 2232 25.01% -PU31338 2223 24.91% -PU1434-payload1 2189 24.53% -PU161-payload2 2185 24.48% -PU631 2184 24.47% -PU500-payload1 2180 24.43% -PU53-sp53-dl24 2156 24.16% -PU53-sp53 2110 23.64% -PU53-dl24 2082 23.33% -PU123-sp53-dl24 2018 22.61% -PS445 2010 22.52% -PU123-dl24 1978 22.16% -PU53 1955 21.90% -PS139 1945 21.79% -PU161-payload1-sp53 1911 21.41% -PU123-sp53 1835 20.56% -PU161-payload1 1789 20.04% -PU123 1723 19.31% -PA25 1721 19.28% -PA445 1682 18.85% -PU135-payload1-sp53 1651 18.50% -PU135-payload2-sp53 1643 18.41% -PA139 1619 18.14% -PU161-sp53 1605 17.98% -PU161-sp53-dl24 1597 17.89% -PU137-payload1-sp53 1596 17.88% -PU135-payload2 1545 17.31% -PU135-payload1 1542 17.28% -PU138-sp53-dl24 1536 17.21% -PU137-sp53-dl24 1514 16.96% -PU137-payload1 1497 16.77% -PU161-dl24 1481 16.59% -PU161 1481 16.59% -PU138-dl24 1456 16.31% -PU137-dl24 1424 15.96% -PU138-sp53 1377 15.43% -PU137-sp53 1345 15.07% -PU138 1293 14.49% -PU137 1260 14.12% -PO2 792 8.87% -PO150 605 6.78% -PO4 482 5.40% -PM 368 4.12% === 1 probe; found in 0:00:00. * -PE; size 5553, 62.22% -PO1; size 5500, 61.62% -PS443; size 3914, 43.85% -PS80; size 3751, 42.03% -PS110; size 3571, 40.01% -PS21; size 3491, 39.11% -PS22; size 3412, 38.23% -PS3389; size 3315, 37.14% -PP; size 3213, 36.00% -PS40125; size 3190, 35.74% === 2 probes; found in 0:00:00. * -PE -PS443; size 6777, 75.93% -PO1 -PS443; size 6724, 75.34% -PE -PS80; size 6663, 74.66% -PO1 -PS80; size 6609, 74.05% -PE -PS21; size 6605, 74.01% -PE -PS110; size 6580, 73.73% -PE -PA80; size 6567, 73.58% -PO1 -PS21; size 6554, 73.43% -PE -PS22; size 6544, 73.32% -PO1 -PS110; size 6520, 73.05% === 3 probes; found in 0:00:00. * -PE -PS443 -PA80; size 7318, 81.99% -PE -PS443 -PP; size 7311, 81.92% -PO1 -PS443 -PP; size 7277, 81.54% -PO1 -PS443 -PA80; size 7264, 81.39% -PE -PS443 -PA3389; size 7241, 81.13% -PE -PS443 -PA110; size 7228, 80.99% -PE -PS21 -PA80; size 7225, 80.95% -PE -PS443 -PA21; size 7220, 80.90% -PE -PS443 -PA40125; size 7219, 80.89% -PE -PS443 -PA40126; size 7216, 80.85% === 4 probes; found in 0:00:13. * -PE -PS443 -PP -PA80; size 7778, 87.15% -PO1 -PS443 -PP -PA80; size 7745, 86.78% -PE -PS443 -PP -PA3389; size 7735, 86.67% -PE -PS443 -PP -PA110; size 7722, 86.52% -PE -PS443 -PP -PA21; size 7714, 86.43% -PE -PS443 -PP -PA40125; size 7713, 86.42% -PE -PS443 -PP -PA40126; size 7710, 86.39% -PE -PS443 -PP -PA22; size 7705, 86.33% -PO1 -PS443 -PP -PA3389; size 7703, 86.31% -PE -PS443 -PP -PO6; size 7700, 86.27% === 5 probes; found in 0:03:50. * -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8005, 89.69% * -PE -PS443 -PP -PA80 -PU40125-sp53; size 8005, 89.69% * -PE -PS443 -PP -PA80 -PU161-payload2-sp53; size 8005, 89.69% -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8004, 89.68% -PE -PS443 -PP -PA80 -PU53-payload1-sp53; size 8001, 89.65% -PE -PS443 -PP -PA80 -PU53-payload2-sp53; size 8000, 89.64% -PE -PS443 -PP -PA80 -PU40126-sp53; size 7996, 89.59% -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24; size 7973, 89.33% -PO1 -PS443 -PP -PA80 -PU40126-sp53-dl24; size 7968, 89.28% -PO1 -PS443 -PP -PA80 -PU40125-sp53; size 7968, 89.28% === 6 probes; found in 0:52:47. * -PE -PS443 -PS80 -PP -PA3389 -PU161-payload2-sp53; size 8160, 91.43% -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA3389; size 8156, 91.38% -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA3389; size 8156, 91.38% -PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53; size 8156, 91.38% -PE -PS443 -PP -PA80 -PU40125-sp53-dl24 -PU161-payload2-sp53; size 8153, 91.35% -PE -PS443 -PS80 -PP -PA3389 -PU40126-sp53; size 8150, 91.32% -PE -PS443 -PP -PA80 -PU40125-sp53 -PU161-payload2-sp53; size 8149, 91.31% -PE -PS443 -PS80 -PP -PA21 -PU161-payload2-sp53; size 8147, 91.28% -PE -PS443 -PP -PA80 -PU53-payload1-sp53 -PU161-payload2-sp53; size 8147, 91.28% -PE -PS443 -PP -PA80 -PU40126-sp53-dl24 -PU161-payload2-sp53; size 8146, 91.27% === 7 probes; found in 10:33:58. * -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA3389 -PU161-payload2-sp53; size 8302, 93.02% -PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53 -PU161-payload2-sp53; size 8299, 92.99% -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA3389 -PU161-payload2-sp53; size 8295, 92.94% -PE -PS443 -PS80 -PP -PA3389 -PU40126-sp53 -PU161-payload2-sp53; size 8294, 92.93% -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA21 -PU161-payload2-sp53; size 8292, 92.91% -PE -PS443 -PS80 -PP -PA3389 -PU53-payload1-sp53 -PU161-payload2-sp53; size 8289, 92.87% -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA110 -PU161-payload2-sp53; size 8288, 92.86% -PE -PS443 -PS80 -PP -PA21 -PU40125-sp53 -PU161-payload2-sp53; size 8288, 92.86% -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA21 -PU161-payload2-sp53; size 8285, 92.83% -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA40125 -PU161-payload2-sp53; size 8285, 92.83% === 8 probes When I killed the script, the best was -PE -PS443 -PS80 -PS3389 -PP -PU40125-sp53-dl24 -PA21 -PU161-payload2-sp53 (8385).
Maximum possible using all 89 probes: 6699. -PE 4185 62.47% -PO1 4145 61.87% -PS443 2959 44.17% -PA80 2899 43.28% -PA443 2881 43.01% -PS80 2845 42.47% -PA110 2723 40.65% -PA3389 2708 40.42% -PS110 2707 40.41% -PA40125 2685 40.08% -PA40126 2675 39.93% -PA22 2672 39.89% -PO6 2666 39.80% -PS21 2654 39.62% -PA21 2654 39.62% -PS22 2596 38.75% -PA23 2581 38.53% -PS3389 2512 37.50% -PP 2456 36.66% -PS40125 2419 36.11% -PS40126 2409 35.96% -PS23 2344 34.99% -PU40125-sp53-dl24 2088 31.17% -PU40126-sp53-dl24 2064 30.81% -PU31338-sp53-dl24 2007 29.96% -PU631-sp53-dl24 1946 29.05% -PU123-payload1-sp53 1943 29.00% -PU40125-sp53 1936 28.90% -PU40126-sp53 1932 28.84% -PU40125-dl24 1919 28.65% -PU40126-dl24 1912 28.54% -PU123-payload1 1899 28.35% -PU53-payload2-sp53 1878 28.03% -PU53-payload2 1875 27.99% -PU31338-sp53 1866 27.85% -PU31338-dl24 1853 27.66% -PU53-payload1-sp53 1820 27.17% -PU631-dl24 1819 27.15% -PU631-sp53 1803 26.91% -PU53-payload1 1797 26.82% -PU1434-payload1-sp53 1769 26.41% -PU40125 1767 26.38% -PU40126 1764 26.33% -PU161-payload2-sp53 1753 26.17% -PS25 1748 26.09% -PU500-payload1-sp53 1722 25.71% -PA25 1721 25.69% -PU31338 1698 25.35% -PO17 1697 25.33% -PA445 1682 25.11% -PU1434-payload1 1678 25.05% -PU161-payload2 1667 24.88% -PU500-payload1 1665 24.85% -PU631 1655 24.71% -PA139 1619 24.17% -PU53-sp53-dl24 1618 24.15% -PU53-sp53 1604 23.94% -PU53-dl24 1581 23.60% -PS445 1542 23.02% -PU123-sp53-dl24 1539 22.97% -PU123-dl24 1518 22.66% -PU53 1487 22.20% -PS139 1473 21.99% -PU161-payload1-sp53 1454 21.70% -PU123-sp53 1398 20.87% -PU161-payload1 1373 20.50% -PU123 1326 19.79% -PU135-payload2-sp53 1252 18.69% -PU135-payload1-sp53 1252 18.69% -PU161-sp53 1227 18.32% -PU161-sp53-dl24 1215 18.14% -PU137-payload1-sp53 1214 18.12% -PU135-payload2 1186 17.70% -PU135-payload1 1183 17.66% -PU138-sp53-dl24 1163 17.36% -PU137-sp53-dl24 1148 17.14% -PU137-payload1 1145 17.09% -PU161-dl24 1141 17.03% -PU161 1138 16.99% -PU138-dl24 1107 16.52% -PU137-dl24 1081 16.14% -PU138-sp53 1037 15.48% -PU137-sp53 1021 15.24% -PU138 975 14.55% -PU137 968 14.45% -PO2 609 9.09% -PO150 605 9.03% -PO4 482 7.20% -PM 282 4.21% === 1 probe; found in 0:00:00. * -PE; size 4185, 62.47% -PO1; size 4145, 61.87% -PS443; size 2959, 44.17% -PA80; size 2899, 43.28% -PA443; size 2881, 43.01% -PS80; size 2845, 42.47% -PA110; size 2723, 40.65% -PA3389; size 2708, 40.42% -PS110; size 2707, 40.41% -PA40125; size 2685, 40.08% === 2 probes; found in 0:00:00. * -PE -PA80; size 5199, 77.61% -PO1 -PA80; size 5163, 77.07% -PE -PA443; size 5145, 76.80% -PO1 -PA443; size 5110, 76.28% -PE -PS443; size 5075, 75.76% -PE -PA21; size 5057, 75.49% -PE -PA22; size 5049, 75.37% -PO1 -PS443; size 5048, 75.35% -PE -PA3389; size 5046, 75.32% -PE -PA110; size 5046, 75.32% === 3 probes; found in 0:00:00. * -PE -PS443 -PA80; size 5616, 83.83% -PO1 -PS443 -PA80; size 5588, 83.42% -PE -PA80 -PS21; size 5578, 83.27% -PE -PA80 -PS110; size 5555, 82.92% -PO1 -PA80 -PS21; size 5542, 82.73% -PE -PS443 -PA3389; size 5539, 82.68% -PE -PA80 -PS22; size 5534, 82.61% -PE -PA80 -PP; size 5527, 82.50% -PE -PS443 -PA110; size 5526, 82.49% -PO1 -PA80 -PS110; size 5525, 82.47% === 4 probes; found in 0:00:10. * -PE -PS443 -PA80 -PP; size 5938, 88.64% -PO1 -PS443 -PA80 -PP; size 5921, 88.39% -PE -PA80 -PS21 -PP; size 5899, 88.06% -PE -PS443 -PA3389 -PP; size 5895, 88.00% -PE -PS443 -PA110 -PP; size 5882, 87.80% -PO1 -PS443 -PA3389 -PP; size 5879, 87.76% -PO1 -PA80 -PS21 -PP; size 5876, 87.71% -PE -PA80 -PS110 -PP; size 5875, 87.70% -PE -PS443 -PA21 -PP; size 5874, 87.68% -PE -PS443 -PA40125 -PP; size 5873, 87.67% === 5 probes; found in 0:02:51. * -PE -PS443 -PA80 -PP -PU161-payload2-sp53; size 6106, 91.15% -PE -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6105, 91.13% -PE -PS443 -PA80 -PP -PU40125-sp53; size 6104, 91.12% -PE -PS443 -PA80 -PP -PU53-payload2-sp53; size 6103, 91.10% -PE -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6103, 91.10% -PE -PS443 -PA80 -PP -PU53-payload1-sp53; size 6100, 91.06% -PE -PS443 -PA80 -PP -PU40126-sp53; size 6099, 91.04% -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6089, 90.89% -PO1 -PS443 -PA80 -PP -PU40125-sp53; size 6087, 90.86% -PO1 -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6085, 90.83% === 6 probes; found in 0:43:47. * -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53; size 6210, 92.70% -PE -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2-sp53; size 6208, 92.67% -PE -PS443 -PA80 -PP -PU53-payload1-sp53 -PU161-payload2-sp53; size 6207, 92.66% -PE -PS443 -PA80 -PP -PU40126-sp53-dl24 -PU161-payload2-sp53; size 6206, 92.64% -PE -PS443 -PA80 -PP -PU40126-sp53 -PU161-payload2-sp53; size 6204, 92.61% -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PU161-payload2-sp53; size 6203, 92.60% -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2; size 6198, 92.52% -PE -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2; size 6196, 92.49% -PE -PS443 -PS80 -PA3389 -PP -PU161-payload2-sp53; size 6195, 92.48% -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PU161-payload2; size 6195, 92.48% === 7 probes When I killed the script, the best was -PE -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 (6294).
This was a check to see if the diminished number of hosts in the May 25 scans were caused by the addition of the SCTP code or just normal network variation. It was done with nmap-payloads r13439.
The number of hosts found is close to that found by the no-SCTP scan done on May 25 (8925 then, 8976 now). So the SCTP code appears not to have had an effect on accuracy. Another possible explanation was that it was caused by the merge from trunk in r13383, but I think it is more likely that it was caused by the two-week interval between the May 10 and May 25 scans.
Maximum possible using all 89 probes: 8976. -PE 5565 62.00% -PO1 5487 61.13% -PS443 3834 42.71% -PS80 3726 41.51% -PS110 3509 39.09% -PS21 3461 38.56% -PS22 3403 37.91% -PS3389 3304 36.81% -PP 3194 35.58% -PS40125 3137 34.95% -PS40126 3134 34.92% -PS23 3076 34.27% -PA80 2879 32.07% -PA443 2842 31.66% -PA110 2691 29.98% -PA3389 2677 29.82% -PU40126-sp53-dl24 2670 29.75% -PU40125-sp53-dl24 2670 29.75% -PA21 2657 29.60% -PA40126 2651 29.53% -PO6 2650 29.52% -PA40125 2650 29.52% -PA22 2646 29.48% -PU31338-sp53-dl24 2603 29.00% -PA23 2581 28.75% -PU123-payload1-sp53 2529 28.18% -PU40126-sp53 2522 28.10% -PU40125-sp53 2518 28.05% -PS25 2516 28.03% -PU53-payload2-sp53 2509 27.95% -PU631-sp53-dl24 2507 27.93% -PU53-payload2 2488 27.72% -PU53-payload1-sp53 2473 27.55% -PU40126-dl24 2465 27.46% -PU31338-sp53 2460 27.41% -PU40125-dl24 2449 27.28% -PU123-payload1 2426 27.03% -PU53-payload1 2425 27.02% -PU31338-dl24 2400 26.74% -PU631-sp53 2364 26.34% -PU631-dl24 2329 25.95% -PU1434-payload1-sp53 2293 25.55% -PU40126 2279 25.39% -PU40125 2279 25.39% -PU500-payload1-sp53 2278 25.38% -PU161-payload2-sp53 2265 25.23% -PU53-dl24 2221 24.74% -PU31338 2211 24.63% -PU53-sp53-dl24 2207 24.59% -PO17 2206 24.58% -PU500-payload1 2198 24.49% -PU1434-payload1 2160 24.06% -PU53-sp53 2146 23.91% -PU161-payload2 2138 23.82% -PU631 2136 23.80% -PS445 2011 22.40% -PU53 1979 22.05% -PS139 1969 21.94% -PU123-sp53-dl24 1959 21.82% -PU123-dl24 1893 21.09% -PU161-payload1-sp53 1853 20.64% -PU123-sp53 1816 20.23% -PU135-payload1-sp53 1722 19.18% -PU135-payload2-sp53 1713 19.08% -PU161-payload1 1712 19.07% -PU123 1708 19.03% -PA445 1691 18.84% -PA25 1690 18.83% -PA139 1651 18.39% -PU137-payload1-sp53 1627 18.13% -PU135-payload2 1623 18.08% -PU135-payload1 1618 18.03% -PU138-sp53-dl24 1552 17.29% -PU161-sp53 1550 17.27% -PU161-sp53-dl24 1547 17.23% -PU137-payload1 1541 17.17% -PU137-sp53-dl24 1515 16.88% -PU137-dl24 1449 16.14% -PU138-dl24 1437 16.01% -PU161 1426 15.89% -PU161-dl24 1423 15.85% -PU138-sp53 1423 15.85% -PU137-sp53 1412 15.73% -PU138 1330 14.82% -PU137 1320 14.71% -PO2 823 9.17% -PO150 642 7.15% -PO4 536 5.97% -PM 338 3.77%