Nmap Development mailing list archives

Re: Good nmap timeout values for port scans of filtering hosts on local LAN

From: H D Moore <hdm () secureaustin com>
Date: Mon, 6 Aug 2001 14:11:26 -0500

If you already know your max rtt time, try setting your initial_rtt_timeout to 
something very small (like 5). The following tests show that no max timeout
took about a minute, a max timeout of 50 took over two minutes, and a very
small initial timeout plus a max timeout of 50 took _4_ seconds ;)


The target in this case was a machine filtering everything but 22 on the LAN.


sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n
 
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Host  (192.168.0.65) appears to be up ... good.
Initiating SYN Stealth Scan against  (192.168.0.65)
Adding open port 22/tcp
The SYN Stealth Scan took 49 seconds to scan 100 ports.
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 22 is open and port 30618 is closed and neither are firewalled
Interesting ports on  (192.168.0.65):
(The 99 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh
 
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
OS Fingerprint:
TSeq(Class=RI%gcd=2%SI=1EE615%IPID=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
 
Uptime 1.199 days (since Sun Aug  5 13:09:58 2001)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2024981 (Good luck!)
TCP ISN Seq. Numbers: 96420653 9667CC5B 95E5977D 96953D9B 96A1081B 96D185EB
IPID Sequence Generation: All zeros
 
Nmap run completed -- 1 IP address (1 host up) scanned in 53 seconds
 
real    0m53.308s
user    0m0.090s
sys     0m0.020s



sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n --max_rtt_timeout=50
 
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Host  (192.168.0.65) appears to be up ... good.
Initiating SYN Stealth Scan against  (192.168.0.65)
Adding open port 22/tcp
The SYN Stealth Scan took 122 seconds to scan 100 ports.
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 22 is open and port 31261 is closed and neither are firewalled
Interesting ports on  (192.168.0.65):
(The 99 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh
 
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=21B201%IPID=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
 
Uptime 1.201 days (since Sun Aug  5 13:09:58 2001)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2208257 (Good luck!)
TCP ISN Seq. Numbers: 9ED8CCD1 9F064703 9F23ABB7 9EB5DEB2 9E9B5AE5
IPID Sequence Generation: All zeros
 
Nmap run completed -- 1 IP address (1 host up) scanned in 124 seconds
 
real    2m3.978s
user    0m0.080s
sys     0m0.020s

sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n --max_rtt_timeout=50 --initial_rtt_timeout=5
 
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Host  (192.168.0.65) appears to be up ... good.
Initiating SYN Stealth Scan against  (192.168.0.65)
Adding open port 22/tcp
The SYN Stealth Scan took 3 seconds to scan 100 ports.
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 22 is open and port 34637 is closed and neither are firewalled
Interesting ports on  (192.168.0.65):
(The 99 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh
 
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=197B2A%IPID=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
 
Uptime 1.202 days (since Sun Aug  5 13:09:58 2001)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1669930 (Good luck!)
TCP ISN Seq. Numbers: A27DF379 A2CE22B0 A24361C6 A1E5AC5A A26CCB76
IPID Sequence Generation: All zeros
 
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
 
real    0m4.427s
user    0m0.070s
sys     0m0.040s



On Mon, 6 Aug 2001 10:31:22 -0600
Alek Komarnitsky <alek () komar org> wrote:

I thought this would be easy to fix ... simply crank down max_rtt_timeout;
especially since all the machines are on the local LAN. 
However, setting this to 50 (milli-seconds) rather than the default 9000
didn't show any wall-time difference on a scan of 100 ports. If I set
this to 5, nmap returned in a second or two ... but the results were
quite variable and consistantly wrong on a few random ports.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Good nmap timeout values for port scans of filtering hosts on local LAN Alek Komarnitsky (Aug 06)
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN H D Moore (Aug 06)
  - Re: Good nmap timeout values for port scans of filtering hosts on local LAN Fyodor (Aug 07)
- <Possible follow-ups>
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN Alek O. Komarnitsky (N-CSC) (Aug 16)