Re: what trickery can nmap take 20 hours to scan 1 host!!

[Jan Engelhardt <jengelh () linux01 gwdg de>]

Hi,


On Apr 23 2007 10:14, Hari Sekhon wrote:
> thanks for your replies guys, I am aware of timing setting, I usually 
> use -T4 locally but leave -T3 for cross internet.
>
> I had a peak at the that url regarding chaos tables. It looks 
> interesting but it doesn't explain how it foils port scanners.

http://jengelh.hopto.org/p/chaostables/fw.html#se7
Section 7, I quote myself: "When the rate limit kicks in, nmap
throttles its scan timing to accomodate for this to not lose scan
result accuracy."

> Also, isn't nmap just supposed to give up and move on to the next
> port if it doesn't get a response? If it does get a response then it
> should move straight on to the next port since it doesn't need to
> reply,

With increased -T n, yes, it moves on quicker -
but at the cost of missing late packets.

That is correct. But xt_CHAOS(!) returns something (using
DELUDE/TARPIT) *sometimes*, and sometimes *not*, making nmap wait on
roughly 98% of all ports (by default) [and giving back false results
for the other 1-2%].
xt_DELUDE or ipt_TARPIT alone do not slow it, as you noticed:

> therefore tarpit persist tricks don't work (I know I've tried
> scanning a tarpit of mine I scanned all 65535 ports in seconds cos
> the time wasting packets were ignored in the syn scan)


> I'm still at a bit of a loss here.
>
> I suppose it's possible that a bot ridden computer didn't have the 
> resources to respond, but I would still expect nmap to move on after a 
> little time, hence it should never take 20 hours to scan 1 host...
>
> -h
>
> Hari Sekhon

Jan
-- 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org