Categories: safe, discovery
Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.
In order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family.
This script is based on Doug Hoyte's Qscan documentation and patches for Nmap.
Maximum number of closed ports to probe (default 1). A negative number disables the limit.
Maximum number of open ports to probe (default 8). A negative number disables the limit.
Number of round-trip times to try to get.
Average delay between packet sends. This is a number followed by
msfor milliseconds or
sfor seconds. (
hare also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default:
nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target
| qscan: | PORT FAMILY MEAN (us) STDDEV LOSS (%) | 21 0 2082.70 460.72 0.0% | 22 0 2211.70 886.69 0.0% | 23 1 4631.90 606.67 0.0% | 24 0 1922.40 336.90 0.0% | 25 0 2017.30 404.31 0.0% | 80 1 4180.80 856.98 0.0% |_443 0 2013.30 368.91 0.0%
License: Same as Nmap--See https://nmap.org/book/man-legal.html