Very thorough and insightful response - appreciate the effort, and totally understood that it may be a wontfix.

For the first two alternatives - the "not much of an additional burden to scan them all again" argument, and the "you might miss some" argument - I'd like to argue that there are other use cases in play for some users. Specifically:

• It may sometimes be the noise / detectability of the scan that the user wants to minimize.

• It may not be "again". 😄 For some use cases, there is value in assembling a list of targets & ports to be used for an initial scan.

The workaround - lots of single-port scans - would be the same for these, of course. :) But it may at least slightly shift the value proposition of bringing such functionality into nmap itself. :)

Also, naively: instead of modifying ultrascan, could a different structure entirely be invoked when importing this kind of target set?

@roycewilliams Yes, I hadn't considered that use case: validating external results

Regarding using a different scan engine besides ultrascan: yes, there are a few other parts of Nmap that are built as separate scan engines, namely idle scan and FTP bounce scan. As a whole, though, the goal of Nmap's developers has been to unify scan engines into ultrascan, since it has some excellent properties like global congestion control and tunable timing that are tricky to work into new code.

I've had situations where I've wanted this feature, but most of the time I've managed to work around it.

Let's say you've run an asynchronous port scanner such as masscan at a fixed rate across 1024 IP addresses (/22) with all 65536 TCP ports. Assume that in this scenario you don't mind sacrificing some accuracy for quicker results.

You then know (roughly) what ports are open on what IP addresses.

You could then run Nmap only against the specific set of open ports per IP address (what this feature request is about).

Instead, I just get the union of all open port numbers, and then run Nmap with that set of ports against the full range again (with service detection, version detection, scripts etc.). Usually, that set is less than 100 unique port numbers, and so the Nmap port scanning phase finishes fairly quickly. For me, this has worked well enough that I don't really feel the need for this feature anymore.

@djcater Totally - that's an excellent approach for some of the use cases. But since a masscan against all ports isn't exactly "minimal noise" ;), and since that technique makes the nmap phase effectively a rescan, it's less of a match for the use case points that I mention in my follow-up note above.

Perl script to accumulate unique ports and targets from an input file and launch one nmap scan against all of them:

perl -lanE'END{$,="\n";open$i,">ips";say$i keys%h;exec"nmap -iL ips -p".join(",",keys%p)}$h{$F[0]}=$p{$F[1]}=1' input.txt

That's not a Perl script - that's a Perl one-liner that wants to be a script someday. ;)

Kidding aside - interesting! This reduces the scan to a superset of all ports seen for any IP in the list? If so, that's a useful middle ground on the way to the desired use case.

What's the expected input format?

@roycewilliams Yes, that's what it does. Input is whitespace-separated IP and port number, one per line. It was a bit of a joke in response to some folks elsewhere recommending 15-line bash scripts to launch one scan per IP/port pair, which would of course take much too long.

A patch has been proposed for this feature on the Nmap-dev mailing list: https://seclists.org/nmap-dev/2019/q2/2

I have not reviewed it yet, but if anyone is interested in trying it out I would love to hear their thoughts.