Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2]

[David Fifield <david () bamsoftware com>]

On Wed, Nov 11, 2009 at 08:54:04AM -0700, David Fifield wrote:
> On Tue, Nov 10, 2009 at 05:06:19PM +0100, Lionel Cons wrote:
> Content-Description: message body text
> > Fyodor writes:
> >  > o Does this happen pretty much every time you scan the target machine,
> >  >   or is it intermittent.
> >
> > I found at least one machine where I can always reproduce the problem.
> >
> >  > Can you try to reduce that step by step until you can find the minimal
> >  > command which still reproduces the problem?
> >
> > Done. Here is the minimal set:
> >
> > # nmap -sS -sU -sR -p T:55491,U:111 <victim>
> >
> >  >  o Only one system does this to you?  Is it on the Internet where I
> >  >    can scan it, or an internal system?  What do you get from "rpcinfo -p
> >  >    <target>" and "nmap -p- -A -T4 <target>"?
> >
> > This system is not reachable from the Internet. Here are the requested
> > outputs.
>
> I can reproduce this using these commands:
>
> ncat -l 55491 -k --send-only
> ncat --udp -l 111 --sh-exec "/bin/cat > /dev/null"
> nmap -sSUR -p T:55491,U:111 localhost

This is fixed in r16058. The bug was that the count of outstanding
queries wasn't being reset to 0 when Nmap gave up on the TCP port
because of a lack of replies. This prohibited further probes from benig
sent. The bug didn't require the use of both TCP and UDP, only that the
first port probed not send back any replies. For example this would do
it too:

ncat -l 55491 -k --send-only
ncat -l 55492 -k --send-only
nmap -sSUR -p T:55491,55492 localhost

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/