Nmap Development mailing list archives
Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2]
From: Lionel Cons <lionel.cons () cern ch>
Date: Tue, 10 Nov 2009 17:06:19 +0100
Fyodor writes:
o Does this happen pretty much every time you scan the target machine, or is it intermittent.
I found at least one machine where I can always reproduce the problem.
Can you try to reduce that step by step until you can find the minimal command which still reproduces the problem?
Done. Here is the minimal set: # nmap -sS -sU -sR -p T:55491,U:111 <victim>
o Only one system does this to you? Is it on the Internet where I can scan it, or an internal system? What do you get from "rpcinfo -p <target>" and "nmap -p- -A -T4 <target>"?
This system is not reachable from the Internet. Here are the requested outputs. Cheers, Lionel
program vers proto port 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32772 status 100024 1 tcp 32771 status 100133 1 udp 32772 100133 1 tcp 32771 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr 100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100005 1 udp 32778 mountd 100005 2 udp 32778 mountd 100005 3 udp 32778 mountd 100005 1 tcp 32776 mountd 100005 2 tcp 32776 mountd 100005 3 tcp 32776 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl 100026 1 udp 32779 bootparam 100026 1 tcp 32777 bootparam 1289637086 5 tcp 55491 1289637086 1 tcp 55491
Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 09:44 CET Nmap scan report for victim (1.2.3.4) Host is up (0.00056s latency). Not shown: 65507 closed ports PORT STATE SERVICE VERSION 111/tcp open rpcbind | rpcinfo: | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/udp nfs | 100227 2,3 2049/udp nfs_acl | 100021 1,2,3,4 4045/udp nlockmgr | 100024 1 32772/udp status | 100133 1 32772/udp nsm_addrand | 100005 1,2,3 32778/udp mountd | 100026 1 32779/udp bootparam | 100000 2,3,4 111/tcp rpcbind | 100003 2,3 2049/tcp nfs | 100227 2,3 2049/tcp nfs_acl | 100021 1,2,3,4 4045/tcp nlockmgr | 100024 1 32771/tcp status | 100133 1 32771/tcp nsm_addrand | 100005 1,2,3 32776/tcp mountd | 100026 1 32777/tcp bootparam |_ 1289637086 1,5 55491/tcp dtcm 512/tcp open exec 513/tcp open login 514/tcp open tcpwrapped 515/tcp open printer Solaris lpd 601/tcp open unknown 2049/tcp open rpcbind 3363/tcp open tcpwrapped 4045/tcp open rpcbind 5252/tcp filtered unknown 6000/tcp open X11 XSun Solaris X11 server 7100/tcp open font-service Sun Solaris fs.auto 8181/tcp filtered unknown 32771/tcp open rpcbind 32774/tcp open sometimes-rpc11? 32776/tcp open rpcbind 32777/tcp open rpcbind 55491/tcp open rpcbind Device type: general purpose Running: Sun Solaris 8 OS details: Sun Solaris 8 (SPARC) Network Distance: 6 hops Service Info: OSs: Solaris, Unix OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 488.11 seconds
# nmap -d5 -sS -sU -sR -p T:55491,U:111 1.2.3.4 Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 16:50 CET Fetchfile found /usr/share/nmap/nmap-services The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- doing 0.0.0.0 = 1.2.3.4 Initiating Ping Scan at 16:50 Scanning 1.2.3.4 [4 ports] Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 echo request (type=8/code=0) ttl=45 id=63008 iplen=28 SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:443 S ttl=48 id=20758 iplen=44 seq=331117183 win=1024 <mss 1460> SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:80 A ttl=40 id=13463 iplen=40 seq=0 win=1024 ack=331117183 SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 Timestamp request (type=13/code=0) ttl=50 id=40714 iplen=40 **TIMING STATS** (0.0470s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1 1.2.3.4: 4/0/0/4/0/0 10.00/75/0 1000000/-1/-1 Current sending rates: 1093.49 packets / s, 41552.76 bytes / s. Overall sending rates: 1093.49 packets / s, 41552.76 bytes / s. RCVD (0.0480s) ICMP 1.2.3.4 > 1.2.3.1 echo reply (type=0/code=0) ttl=250 id=53510 iplen=28 Found 1.2.3.4 in incomplete hosts list. We got a ping packet back from 1.2.3.4: id = 14049 seq = 0 checksum = 51486 ultrascan_host_probe_update called for machine 1.2.3.4 state UNKNOWN -> HOST_UP (trynum 0 time: 1169) Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000 Changing ping technique for 1.2.3.4 to icmp type 8 code 0 Moving 1.2.3.4 to completed hosts list with 0 outstanding probes. Changing global ping host to 1.2.3.4. Completed Ping Scan at 16:50, 0.00s elapsed (1 total hosts) Overall sending rates: 839.63 packets / s, 31905.96 bytes / s. pcap stats: 3 packets received by filter, 0 dropped by kernel. mass_rdns: Using DNS server 1.2.5.1 mass_rdns: Using DNS server 1.2.5.2 NSOCK (0.0520s) UDP connection requested to 1.2.5.2:53 (IOD #1) EID 8 NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 18 NSOCK (0.0520s) UDP connection requested to 1.2.5.1:53 (IOD #2) EID 24 NSOCK (0.0520s) Read request from IOD #2 [1.2.5.1:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution of 1 host. at 16:50 mass_rdns: TRANSMITTING for <1.2.3.4> (server <1.2.5.2>) NSOCK (0.0520s) Write request for 46 bytes to IOD #1 EID 43 [1.2.5.2:53]: .............108.237.138.137.in-addr.arpa..... NSOCK (0.0520s) nsock_loop() started (timeout=500ms). 5 events pending NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 8 [1.2.5.2:53] NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 24 [1.2.5.1:53] NSOCK (0.0520s) Callback: WRITE SUCCESS for EID 43 [1.2.5.2:53] NSOCK (0.0520s) Callback: READ SUCCESS for EID 18 [1.2.5.2:53] (154 bytes) NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 50 CAPACITY <1.2.5.2> = 12 mass_rdns: OK MATCHED <1.2.3.4> to <victim> mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 16:50, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 16:50 1.2.3.4 pingprobe type ICMP is inappropriate for this scan type; resetting. Scanning victim (1.2.3.4) [1 port] Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) SENT (0.0580s) TCP 1.2.3.1:56346 > 1.2.3.4:55491 S ttl=56 id=902 iplen=44 seq=737339205 win=1024 <mss 1460> **TIMING STATS** (0.0580s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1 1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1106/5000 Current sending rates: 192.38 packets / s, 8464.79 bytes / s. Overall sending rates: 192.38 packets / s, 8464.79 bytes / s. RCVD (0.0580s) TCP 1.2.3.4:55491 > 1.2.3.1:56346 SA ttl=59 id=53514 iplen=44 seq=3281484125 win=24820 ack=737339206 <mss 1460> Found 1.2.3.4 in incomplete hosts list. Discovered open port 55491/tcp on 1.2.3.4 Timeout vals: srtt: 1106 rttvar: 5000 to: 100000 delta -583 ==> srtt: 1033 rttvar: 3895 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 523 ==> srtt: 523 rttvar: 5000 to: 100000 Changing ping technique for 1.2.3.4 to tcp to port 55491; flags: S Moving 1.2.3.4 to completed hosts list with 0 outstanding probes. Changing global ping host to 1.2.3.4. Completed SYN Stealth Scan at 16:50, 0.01s elapsed (1 total ports) Overall sending rates: 179.34 packets / s, 7890.96 bytes / s. pcap stats: 1 packets received by filter, 0 dropped by kernel. Initiating UDP Scan at 16:50 Scanning victim (1.2.3.4) [1 port] Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4))) SENT (0.0640s) UDP 1.2.3.1:56346 > 1.2.3.4:111 ttl=42 id=24934 iplen=68 **TIMING STATS** (0.0640s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1 1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1033/3895 Current sending rates: 308.74 packets / s, 20994.13 bytes / s. Overall sending rates: 308.74 packets / s, 20994.13 bytes / s. RCVD (0.0650s) UDP 1.2.3.4:111 > 1.2.3.1:56346 ttl=250 id=53515 iplen=60 Found 1.2.3.4 in incomplete hosts list. Discovered open port 111/udp on 1.2.3.4 Timeout vals: srtt: 1033 rttvar: 3895 to: 100000 delta 64 ==> srtt: 1041 rttvar: 2937 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1097 ==> srtt: 1097 rttvar: 5000 to: 100000 Moving 1.2.3.4 to completed hosts list with 0 outstanding probes. Changing global ping host to 1.2.3.4. Completed UDP Scan at 16:50, 0.00s elapsed (1 total ports) Overall sending rates: 228.99 packets / s, 15571.33 bytes / s. pcap stats: 1 packets received by filter, 0 dropped by kernel. Starting RPC scan against victim (1.2.3.4) Fetchfile found /usr/share/nmap/nmap-rpc Initiating RPCGrind Scan against victim (1.2 at 16:50 Sending initial query to port/prog 100000 Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=0 xid=2606FDA1 Sending initial query to port/prog 100001 Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=0 xid=2606FDA2 Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Timeout, resending to portno/progno 100001 Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=1 xid=6606FDA2 Timeout, resending to portno/progno 100000 Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=1 xid=6606FDA1 Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Timeout, resending to portno/progno 100000 Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=2 xid=FFFFFFFFA606FDA1 Timeout, resending to portno/progno 100001 Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=2 xid=FFFFFFFFA606FDA2 Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us RPC Scan giving up on port 55491 proto 6 due to repeated lack of response Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Finished round. Current stats: numqueries_ideal: 2; min_width: 1; max_width: 150; packet_incr: 4; senddelay: 0us; fallback: 70% Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Unable to find listening socket in get_rpc_results Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Unable to find listening socket in get_rpc_results Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us Unable to find listening socket in get_rpc_results ^C
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Lionel Cons (Oct 19)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Fyodor (Nov 05)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Lionel Cons (Nov 10)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Fyodor (Nov 11)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] David Fifield (Nov 11)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] David Fifield (Nov 11)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Lionel Cons (Nov 10)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Fyodor (Nov 05)