Nmap qscan NSE Script


This page contains detailed information about how to use the qscan NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/qscan.nse
Script categories: safe, discovery
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Script Description

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

In order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family.

This script is based on Doug Hoyte's Qscan documentation and patches for Nmap.

Qscan NSE Script Arguments

This is a full list of arguments supported by the qscan.nse script:

confidence

Confidence level: 0.75, 0.9, 0.95, 0.975, 0.99, 0.995, or 0.9995.

delay

Average delay between packet sends. This is a number followed by ms for milliseconds or s for seconds. (m and h are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: 200ms.

numclosed

Maximum number of closed ports to probe (default 1). A negative number disables the limit.

numopen

Maximum number of open ports to probe (default 8). A negative number disables the limit.

numtrips

Number of round-trip times to try to get.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=qscan --script-args confidence=value,delay=value <target>

Qscan NSE Script Example Usage

Here's an example of how to use the qscan.nse script:

nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target

Qscan NSE Script Example Output

Here's a sample output from the qscan.nse script:

| qscan:
| PORT  FAMILY  MEAN (us)  STDDEV  LOSS (%)
| 21    0       2082.70    460.72  0.0%
| 22    0       2211.70    886.69  0.0%
| 23    1       4631.90    606.67  0.0%
| 24    0       1922.40    336.90  0.0%
| 25    0       2017.30    404.31  0.0%
| 80    1       4180.80    856.98  0.0%
|_443   0       2013.30    368.91  0.0%

Qscan NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

  • Kris Katterjohn

References

See Also

Visit Nmap NSE Library for more scripts.

The qscan.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

Invalid confidence level

Here is a relevant code snippet related to the "Invalid confidence level" error message:

307:	
308:	  if conf ~= 0.75 and conf ~= 0.9 and
309:	      conf ~= 0.95 and conf ~= 0.975 and
310:	      conf ~= 0.99 and conf ~= 0.995 and conf ~= 0.9995 then
311:	    bool = false
312:	    err = "Invalid confidence level"
313:	  end
314:	
315:	  if not delay then
316:	    bool = false
317:	    err = "Invalid delay"

Invalid delay

Here is a relevant code snippet related to the "Invalid delay" error message:

312:	    err = "Invalid confidence level"
313:	  end
314:	
315:	  if not delay then
316:	    bool = false
317:	    err = "Invalid delay"
318:	  end
319:	
320:	  if numtrips < 3 then
321:	    bool = false
322:	    err = "Invalid number of trips (should be >= 3)"

Invalid number of trips (should be >= 3)

Here is a relevant code snippet related to the "Invalid number of trips (should be >= 3)" error message:

317:	    err = "Invalid delay"
318:	  end
319:	
320:	  if numtrips < 3 then
321:	    bool = false
322:	    err = "Invalid number of trips (should be >= 3)"
323:	  end
324:	
325:	  if bool then
326:	    return bool, conf, delay, numtrips
327:	  else

Version

This page has been created based on Nmap version 7.92.

Go back to menu.