Nmap Development mailing list archives
Re: nmap scans on FreeBSD showing incorrect results
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 20 Sep 2017 23:17:01 -0500
Vincent, Thanks for reporting this! Filtered port state can be caused by dropped packets, though Nmap usually slows down and tries again if it determines some packets are being dropped. I noticed that the two examples you gave of incorrect results actually took less time to complete than the correct ones. It's likely that Nmap just isn't slowing down quickly enough to catch the replies it ought to. Here's some diagnostic stuff I'd like to see from you, if you can: 1. Debug output with -d2 for an incorrect scan. Also add -n to skip the reverse-DNS phase which can add noise to the total scan time. 2. Does slowing the scan down "fix" the incorrect results? Add -T2 to slow it down. If this works, then it's most likely a timing or missed packets issue. 3. Let us know if there's anything special about the network: virtual machine (bridged, NAT, etc)? WiFi? Gigabit Ethernet? It's already very helpful to know this affects multiple versions of Nmap and FreeBSD, but if you find a version combination that *does* work, that's useful info as well. Thanks. Hopefully we can fix it soon! Dan On Tue, Sep 19, 2017 at 8:11 PM, Vincent Stemen <vince.nmap () hightek org> wrote:
Hi. On FreeBSD 11.1 release I am getting inconsistent results from nmap version 7.40. It is randomly showing some ports as filtered even though they are not. I am wondering if this could be a bug in nmap when running on FreeBSD. For comparison, I ran nmap version 7.40 on Linux Debian 4.9.30 and I do not have the problem. It consistently correctly shows all unfiltered ports. The host being scanned is running a packet filter firewall on FreeBSD 11.1. I also ran a few of the same tests from a FreeBSD 10.3-RELEASE-p11 machine, running nmap-7.12 and got similar inconsistent results. On these tests, there are 5 unfiltered ports. If it has been at least a minute or so since the last scan, it seems to output the correct results. # nmap -p 1000-1040 pt02 Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT Nmap scan report for pt02 (xx.xx.xx.xx) Host is up (0.026s latency). Not shown: 36 filtered ports PORT STATE SERVICE 1000/tcp open cadlock 1001/tcp open webpush 1002/tcp closed windows-icfw 1003/tcp closed unknown 1004/tcp closed unknown Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds ------------------------------------- But if I run the scan again, I get random wrong results. # nmap -p 1000-1040 pt02 Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT Nmap scan report for pt02 (xx.xx.xx.xx) Host is up (0.024s latency). Not shown: 39 filtered ports PORT STATE SERVICE 1000/tcp open cadlock 1004/tcp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds ???? This is outright wrong. Why does it only show 2 unfiltered ports? ???? ------------------------------------- It is not consistant about which ports it shows as being unfiltered. # nmap -p 1000-1030 pt02 Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:29 CDT Nmap scan report for pt02 (xx.xx.xx.xx) Host is up (0.024s latency). Not shown: 29 filtered ports PORT STATE SERVICE 1001/tcp open webpush 1002/tcp closed windows-icfw Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds ------------------------------------- If I scan *no more* than 10 ports, it seems to always be correct. From 15 on up it appears to get more and more inconsistant. # nmap -p 1000-1010 pt02 Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:32 CDT Nmap scan report for pt02 (xx.xx.xx.xx) Host is up (0.025s latency). PORT STATE SERVICE 1000/tcp open cadlock 1001/tcp open webpush 1002/tcp closed windows-icfw 1003/tcp closed unknown 1004/tcp closed unknown 1005/tcp filtered unknown 1006/tcp filtered unknown 1007/tcp filtered unknown 1008/tcp filtered ufsd 1009/tcp filtered unknown 1010/tcp filtered surf Nmap done: 1 IP address (1 host up) scanned in 3.99 seconds _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap scans on FreeBSD showing incorrect results Vincent Stemen (Sep 19)
- Re: nmap scans on FreeBSD showing incorrect results Daniel Miller (Sep 20)
- Re: nmap scans on FreeBSD showing incorrect results Vincent Stemen (Sep 21)
- Re: nmap scans on FreeBSD showing incorrect results Daniel Miller (Sep 20)