Nmap qscan NSE Script
This page contains detailed information about how to use the qscan NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Select: |
---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/qscan.nse
Script categories: safe, discovery
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Script Description
Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.
In order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family.
This script is based on Doug Hoyte's Qscan documentation and patches for Nmap.
Qscan NSE Script Arguments
This is a full list of arguments supported by the qscan.nse script:
confidence
Confidence level: 0.75
, 0.9
, 0.95
, 0.975
, 0.99
, 0.995
, or 0.9995
.
Average delay between packet sends. This is a number followed by ms
for milliseconds or s
for seconds. (m
and h
are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: 200ms
.
Maximum number of closed ports to probe (default 1). A negative number disables the limit.
numopenMaximum number of open ports to probe (default 8). A negative number disables the limit.
numtripsNumber of round-trip times to try to get.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=qscan --script-args confidence=value,delay=value <target>
Qscan NSE Script Example Usage
Here's an example of how to use the qscan.nse script:
nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target
Qscan NSE Script Example Output
Here's a sample output from the qscan.nse script:
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 21 0 2082.70 460.72 0.0%
| 22 0 2211.70 886.69 0.0%
| 23 1 4631.90 606.67 0.0%
| 24 0 1922.40 336.90 0.0%
| 25 0 2017.30 404.31 0.0%
| 80 1 4180.80 856.98 0.0%
|_443 0 2013.30 368.91 0.0%
Qscan NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Kris Katterjohn
References
- https://nmap.org/nsedoc/scripts/qscan.html
- https://github.com/nmap/nmap/tree/master/scripts/qscan.nse
- http://hcsw.org/nmap/QSCAN
- http://www.owlnet.rice.edu/~elec428/projects/tinv.c
See Also
Visit Nmap NSE Library for more scripts.
The qscan.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Invalid confidence level
Here is a relevant code snippet related to the "Invalid confidence level" error message:
307:
308: if conf ~= 0.75 and conf ~= 0.9 and
309: conf ~= 0.95 and conf ~= 0.975 and
310: conf ~= 0.99 and conf ~= 0.995 and conf ~= 0.9995 then
311: bool = false
312: err = "Invalid confidence level"
313: end
314:
315: if not delay then
316: bool = false
317: err = "Invalid delay"
Invalid delay
Here is a relevant code snippet related to the "Invalid delay" error message:
312: err = "Invalid confidence level"
313: end
314:
315: if not delay then
316: bool = false
317: err = "Invalid delay"
318: end
319:
320: if numtrips < 3 then
321: bool = false
322: err = "Invalid number of trips (should be >= 3)"
Invalid number of trips (should be >= 3)
Here is a relevant code snippet related to the "Invalid number of trips (should be >= 3)" error message:
317: err = "Invalid delay"
318: end
319:
320: if numtrips < 3 then
321: bool = false
322: err = "Invalid number of trips (should be >= 3)"
323: end
324:
325: if bool then
326: return bool, conf, delay, numtrips
327: else
Version
This page has been created based on Nmap version 7.92.
Go back to menu.