Nmap Development mailing list archives
Re: Suspect that --host-timeout is not working in 4.50?
From: Randolph Reitz <rreitz () fnal gov>
Date: Fri, 14 Dec 2007 18:34:29 -0600
On Dec 14, 2007, at 4:42 PM, jah wrote:
On 14/12/2007 20:52, Randolph Reitz wrote:Hi, I have installed nmap 4.50 on the scanner farm here at Fermilab and I've noticed that some nmap scans are running a long time. For example ... scanner 5311 31009 0 12:17 ? 00:00:00 /bin/bash ./bin/ run_nmap.sh --pro -d 1 -sS -p 1-65535 -A 131.225.232.A 131.225.232.B 131.225.232.C 131.225.232.D root 5319 5311 2 12:17 ? 00:03:10 /usr/local/bin/nmap - sS -p 1-65535 -P0 -T4 --osscan-limit --osscan-guess --host-timeout 15m -A -oX - 131.225.232.D It's now date Fri Dec 14 14:47:47 CST 2007 The nmap started at 12:17 and has collected 3 minutes of CPU so far. The host_timeout is set for 15 minutes. So far, I've collected hundreds of examples of long-running nmap scans. However, I've noticed that nmap 4.50 is much faster than 4.2. Does anyone else have a problem with --host-timeout?Hello Randolph, I don't seem to be having any problems with --host-timeout, may I propose a quick test... Perform a simple test scan against a couple of hosts with the aim of finding a host/scan combination that takes at least 2 seconds, but as short as possible (this is supposed to be a quick test). An example might be: nmap -d -sU -p1-5000 <target> When you have a total scan time that suits, add the lowest permissible host-timeout (1501ms): nmap -d -sU -p1-5000 --host-timeout 1501 <target> if host-timeout is working properly, you should see something like: ... Completed ARP Ping Scan at 22:35, 0.05s elapsed (1 total hosts) ... <target> timed out during UDP Scan (0 hosts left) Completed UDP Scan at 22:35, 1.46s elapsed (1 host timed out) Host <target> appears to be up ... good. Skipping host <target> due to host timeout ... If that's a success, you could start building up the scan paramaters again and hopefully determine what's gone wrong. Hope that helps a bit, jah
Thanks for your reply. The expected response was "Hey, it's open source, so go fix it!". Quick answer, it's the script engine that seems to be ignoring the host_timeout option. I have roughly 12,000 hosts to choose from, I'll just pluck one from a log file of systems that took a long time to port scan earlier today. I can get 4.50 to timeout with the options you suggest. For example... [scanner@clouseau ~]$ nmap -d -sS -p 1-5000 --host_timeout 10s 131.225.136.140 host-timeout is given in milliseconds, so you specified less than 15 seconds (10000ms). This is allowed but not recommended. Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-14 17:51 CST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 10000 --------------------------------------------- Initiating Ping Scan at 17:51 Scanning 131.225.136.140 [2 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or ((tcp or udp) and (src host 131.225.136.140))) We got a TCP ping packet back from 131.225.136.140 port 80 (trynum = 0) Completed Ping Scan at 17:51, 0.01s elapsed (1 total hosts) mass_rdns: Using DNS server 131.225.8.120 mass_rdns: Using DNS server 131.225.17.150 Initiating Parallel DNS resolution of 1 host. at 17:51 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 17:51, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 17:51 Scanning plainwell.fnal.gov (131.225.136.140) [5000 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or (tcp and (src host 131.225.136.140))) Discovered open port 21/tcp on 131.225.136.140 Discovered open port 23/tcp on 131.225.136.140 Discovered open port 4045/tcp on 131.225.136.140 Increased max_successful_tryno for 131.225.136.140 to 1 (packet drop) Increasing send delay for 131.225.136.140 from 0 to 5 due to 18 out of 60 dropped probes since last increase. Increased max_successful_tryno for 131.225.136.140 to 2 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 3 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 4 (packet drop) Increasing send delay for 131.225.136.140 from 5 to 10 due to max_successful_tryno increase to 4 Increased max_successful_tryno for 131.225.136.140 to 5 (packet drop) Increasing send delay for 131.225.136.140 from 10 to 20 due to max_successful_tryno increase to 5 131.225.136.140 timed out during SYN Stealth Scan (0 hosts left) Completed SYN Stealth Scan at 17:51, 10.00s elapsed (1 host timed out) Host plainwell.fnal.gov (131.225.136.140) appears to be up ... good. Skipping host plainwell.fnal.gov (131.225.136.140) due to host timeout Final times for host: srtt: 376 rttvar: 51 to: 100000 Read from /usr/local/share/nmap: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 10.055 seconds Raw packets sent: 506 (22.244KB) | Rcvd: 306 (14.076KB) If I use all ports... [scanner@clouseau ~]$ nmap -d -sS -p 1-65535 --host_timeout 10s 131.225.136.140 host-timeout is given in milliseconds, so you specified less than 15 seconds (10000ms). This is allowed but not recommended. Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-14 17:52 CST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 10000 --------------------------------------------- Initiating Ping Scan at 17:52 Scanning 131.225.136.140 [2 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or ((tcp or udp) and (src host 131.225.136.140))) We got a TCP ping packet back from 131.225.136.140 port 80 (trynum = 0) Completed Ping Scan at 17:52, 0.01s elapsed (1 total hosts) mass_rdns: Using DNS server 131.225.8.120 mass_rdns: Using DNS server 131.225.17.150 Initiating Parallel DNS resolution of 1 host. at 17:52 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 17:52, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 17:52 Scanning plainwell.fnal.gov (131.225.136.140) [65535 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or (tcp and (src host 131.225.136.140))) Discovered open port 21/tcp on 131.225.136.140 Discovered open port 23/tcp on 131.225.136.140 Increased max_successful_tryno for 131.225.136.140 to 1 (packet drop) Increasing send delay for 131.225.136.140 from 0 to 5 due to 18 out of 59 dropped probes since last increase. Increased max_successful_tryno for 131.225.136.140 to 2 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 3 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 4 (packet drop) Increasing send delay for 131.225.136.140 from 5 to 10 due to max_successful_tryno increase to 4 Increased max_successful_tryno for 131.225.136.140 to 5 (packet drop) Increasing send delay for 131.225.136.140 from 10 to 20 due to max_successful_tryno increase to 5 131.225.136.140 timed out during SYN Stealth Scan (0 hosts left) Completed SYN Stealth Scan at 17:52, 10.00s elapsed (1 host timed out) Host plainwell.fnal.gov (131.225.136.140) appears to be up ... good. Skipping host plainwell.fnal.gov (131.225.136.140) due to host timeout Final times for host: srtt: 359 rttvar: 27 to: 100000 Read from /usr/local/share/nmap: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 10.118 seconds Raw packets sent: 505 (22.200KB) | Rcvd: 305 (14.030KB) The host-timeout works! However, if I add service detection (and I bumped the host-timeout to 1m)... [scanner@clouseau ~]$ nmap -d -sS -p 1-65535 --host_timeout 1m -A 131.225.136.140 Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-14 18:13 CST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 60000 --------------------------------------------- Initiating Ping Scan at 18:13 Scanning 131.225.136.140 [2 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or ((tcp or udp) and (src host 131.225.136.140))) We got a TCP ping packet back from 131.225.136.140 port 80 (trynum = 0) Completed Ping Scan at 18:13, 0.01s elapsed (1 total hosts) mass_rdns: Using DNS server 131.225.8.120 mass_rdns: Using DNS server 131.225.17.150 Initiating Parallel DNS resolution of 1 host. at 18:13 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 18:13, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 18:13 Scanning plainwell.fnal.gov (131.225.136.140) [65535 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or (tcp and (src host 131.225.136.140))) Discovered open port 21/tcp on 131.225.136.140 Discovered open port 23/tcp on 131.225.136.140 Increased max_successful_tryno for 131.225.136.140 to 1 (packet drop) Increasing send delay for 131.225.136.140 from 0 to 5 due to 18 out of 59 dropped probes since last increase. Increased max_successful_tryno for 131.225.136.140 to 2 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 3 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 4 (packet drop) Increasing send delay for 131.225.136.140 from 5 to 10 due to max_successful_tryno increase to 4 Increased max_successful_tryno for 131.225.136.140 to 5 (packet drop) Increasing send delay for 131.225.136.140 from 10 to 20 due to max_successful_tryno increase to 5 SYN Stealth Scan Timing: About 1.73% done; ETC: 18:42 (0:28:25 remaining) 131.225.136.140 timed out during SYN Stealth Scan (0 hosts left) Completed SYN Stealth Scan at 18:14, 60.00s elapsed (1 host timed out) Initiating Service scan at 18:14 Initiating Traceroute at 18:14 131.225.136.140: hop distance parameters -> hg:64 ttl:59 131.225.136.140: guessing hop distance at 5 Completed Traceroute at 18:14, 0.00s elapsed Initiating Parallel DNS resolution of 7 hosts. at 18:14 mass_rdns: 0.00s 0/5 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 5] Completed Parallel DNS resolution of 7 hosts. at 18:14, 0.00s elapsed DNS resolution of 5 IPs took 0.00s. Mode: Async [#: 2, OK: 5, NX: 0, DR: 0, SF: 0, TR: 5, CN: 0] SCRIPT ENGINE: Initiating script scanning. SCRIPT ENGINE: Script scanning plainwell.fnal.gov. SCRIPT ENGINE: Using /usr/local/libexec/nmap/nselib-bin/?.so;./?.so;/ usr/local/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and /usr/local/share/nmap/nselib/?.lua;./?.lua;/usr/ local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/ local/lib/lua/5.1/?.lua;/usr/local/lib/lua/5.1/?/init.lua for Lua- modules SCRIPT ENGINE: Initialized 21 rules SCRIPT ENGINE: Matching rules. SCRIPT ENGINE: Will run /usr/local/share/nmap/scripts/anonFTP.nse against 131.225.136.140:21 SCRIPT ENGINE: Will run /usr/local/share/nmap/scripts/bruteTelnet.nse against 131.225.136.140:23 SCRIPT ENGINE: Running scripts. SCRIPT ENGINE: Runlevel: 1.000000 Initiating SCRIPT ENGINE at 18:14 SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:15 (0:00:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:16 (0:01:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:17 (0:01:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:18 (0:02:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:19 (0:02:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:20 (0:03:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:21 (0:03:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:22 (0:04:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:23 (0:04:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:24 (0:05:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:25 (0:05:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:26 (0:06:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:27 (0:06:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:28 (0:07:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:29 (0:07:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:30 (0:08:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:31 (0:08:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:32 (0:09:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:33 (0:09:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:34 (0:10:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:35 (0:10:30 remaining) I killed it. It's now 18:25, so the nmap has been running for ~13 minutes. If I drop the greedy -p 1-65535 and go for -F ... [scanner@clouseau ~]$ nmap -d -sS -F --host_timeout 1m -A 131.225.136.140 Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-14 18:27 CST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 60000 --------------------------------------------- Initiating Ping Scan at 18:27 Scanning 131.225.136.140 [2 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or ((tcp or udp) and (src host 131.225.136.140))) We got a TCP ping packet back from 131.225.136.140 port 80 (trynum = 0) Completed Ping Scan at 18:27, 0.00s elapsed (1 total hosts) mass_rdns: Using DNS server 131.225.8.120 mass_rdns: Using DNS server 131.225.17.150 Initiating Parallel DNS resolution of 1 host. at 18:27 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 18:27, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 18:27 Scanning plainwell.fnal.gov (131.225.136.140) [1272 ports] Packet capture filter (device eth0): dst host 131.225.12.197 and (icmp or (tcp and (src host 131.225.136.140))) <open ports discovered> Increased max_successful_tryno for 131.225.136.140 to 1 (packet drop) Increasing send delay for 131.225.136.140 from 0 to 5 due to 18 out of 60 dropped probes since last increase. Increased max_successful_tryno for 131.225.136.140 to 2 (packet drop) Increased max_successful_tryno for 131.225.136.140 to 3 (packet drop) Discovered open port 32780/tcp on 131.225.136.140 Increased max_successful_tryno for 131.225.136.140 to 4 (packet drop) Increasing send delay for 131.225.136.140 from 5 to 10 due to max_successful_tryno increase to 4 Discovered open port 32778/tcp on 131.225.136.140 Increased max_successful_tryno for 131.225.136.140 to 5 (packet drop) Increasing send delay for 131.225.136.140 from 10 to 20 due to max_successful_tryno increase to 5 <open ports discovered> Completed SYN Stealth Scan at 18:28, 34.51s elapsed (1272 total ports) Initiating Service scan at 18:28 Scanning 15 services on plainwell.fnal.gov (131.225.136.140) Got nsock CONNECT response with status TIMEOUT - aborting this service Completed Service scan at 18:28, 26.01s elapsed (1 host timed out) Initiating Traceroute at 18:28 131.225.136.140: hop distance parameters -> hg:64 ttl:59 131.225.136.140: guessing hop distance at 5 Completed Traceroute at 18:28, 0.01s elapsed Initiating Parallel DNS resolution of 7 hosts. at 18:28 mass_rdns: 0.00s 0/5 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 5] Completed Parallel DNS resolution of 7 hosts. at 18:28, 2.50s elapsed DNS resolution of 5 IPs took 2.50s. Mode: Async [#: 2, OK: 5, NX: 0, DR: 0, SF: 0, TR: 6, CN: 0] SCRIPT ENGINE: Initiating script scanning. SCRIPT ENGINE: Script scanning plainwell.fnal.gov. SCRIPT ENGINE: Using /usr/local/libexec/nmap/nselib-bin/?.so;./?.so;/ usr/local/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and /usr/local/share/nmap/nselib/?.lua;./?.lua;/usr/ local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/ local/lib/lua/5.1/?.lua;/usr/local/lib/lua/5.1/?/init.lua for Lua- modules SCRIPT ENGINE: Initialized 21 rules SCRIPT ENGINE: Matching rules. SCRIPT ENGINE: Will run /usr/local/share/nmap/scripts/anonFTP.nse against 131.225.136.140:21 SCRIPT ENGINE: Will run /usr/local/share/nmap/scripts/bruteTelnet.nse against 131.225.136.140:23 SCRIPT ENGINE: Running scripts. SCRIPT ENGINE: Runlevel: 1.000000 Initiating SCRIPT ENGINE at 18:28 SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:29 (0:00:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:30 (0:01:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:31 (0:01:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:32 (0:02:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:33 (0:02:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:34 (0:03:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:35 (0:03:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:36 (0:04:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:37 (0:04:30 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:38 (0:05:00 remaining) SCRIPT ENGINE Timing: About 50.00% done; ETC: 18:39 (0:05:30 remaining) Same problem. Once the script engine starts, the host-timeout seems to be ignored. Thanks, Randy Reitz Fermilab _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Suspect that --host-timeout is not working in 4.50? Randolph Reitz (Dec 14)
- Re: Suspect that --host-timeout is not working in 4.50? jah (Dec 14)
- Re: Suspect that --host-timeout is not working in 4.50? Randolph Reitz (Dec 15)
- Re: Suspect that --host-timeout is not working in 4.50? jah (Dec 15)
- Re: Suspect that --host-timeout is not working in 4.50? Randolph Reitz (Dec 16)
- Re: Suspect that --host-timeout is not working in 4.50? jah (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? Fyodor (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? doug (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? Fyodor (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? Fyodor (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? doug (Dec 21)
- Re: Suspect that --host-timeout is not working in 4.50? Fyodor (Dec 21)
- Re: Suspect that --host-timeout is not working in 4.50? Randolph Reitz (Dec 15)
- Re: Suspect that --host-timeout is not working in 4.50? doug (Dec 20)
- Re: Suspect that --host-timeout is not working in 4.50? jah (Dec 14)