Nmap Development mailing list archives

Port state detection sometimes fails when scanning a single port in aggresive timing

From: Andres Marin Lopez <andres.marin () uc3m es>
Date: Fri, 27 Oct 2017 15:02:58 +0200

Hi!
I have detected that nmap 7.60 when scanning a single port fails to detect
the state of the port in  aggressive timing strategy. I discovered with -T3
in Version 7.50 but in version 7.60 it only happens using -T5. With
--packet-trace I see that nmap does not wait to receive the SYN,ACK, though
tcpdump shows it.

This does not happen if you scan two or more ports, so it may be a bug in
the code.

Here follow the traces with new version of nmap:

amarin@lamp:/tmp$ sudo nmap  -sS -n -T5 10.0.3.115 --packet-trace -p80

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-27 12:14 CEST
SENT (0.0666s) ARP who-has 10.0.3.115 tell 10.0.3.229
RCVD (0.0678s) ARP reply 10.0.3.115 is-at CA:63:91:E8:33:60
SENT (0.3389s) TCP 10.0.3.229:53832 > 10.0.3.115:80 S ttl=58 id=64238
iplen=44  seq=2707334846 win=1024 <mss 1460>
SENT (0.3890s) TCP 10.0.3.229:53833 > 10.0.3.115:80 S ttl=54 id=20639
iplen=44  seq=2707400383 win=1024 <mss 1460>
Nmap scan report for 10.0.3.115
Host is up (0.0012s latency).

PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: CA:63:91:E8:33:60 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

And now scanning two ports:

amarin@lamp:/tmp$ sudo nmap  -sS -n -T5 10.0.3.115 --packet-trace -p80,443

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-27 12:14 CEST
SENT (0.0622s) ARP who-has 10.0.3.115 tell 10.0.3.229
RCVD (0.0634s) ARP reply 10.0.3.115 is-at CA:63:91:E8:33:60
SENT (0.3585s) TCP 10.0.3.229:43973 > 10.0.3.115:80 S ttl=37 id=26374
iplen=44  seq=102116974 win=1024 <mss 1460>
SENT (0.3586s) TCP 10.0.3.229:43973 > 10.0.3.115:443 S ttl=45 id=5429
iplen=44  seq=102116974 win=1024 <mss 1460>
RCVD (0.3595s) TCP 10.0.3.115:80 > 10.0.3.229:43973 SA ttl=64 id=0
iplen=44  seq=3642482007 win=14600 <mss 1460>
RCVD (0.3595s) TCP 10.0.3.115:443 > 10.0.3.229:43973 SA ttl=64 id=0
iplen=44  seq=2915678535 win=14600 <mss 1460>
Nmap scan report for 10.0.3.115
Host is up (0.0011s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
MAC Address: CA:63:91:E8:33:60 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

amarin@lamp:/tmp$ nmap -V

Nmap version 7.60 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0f libssh2-1.8.0 libz-1.2.8
libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Thanks for this unvaluable tool!!
-- 
ANDRES MARIN LOPEZ
Universidad Carlos III de Madrid

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Port state detection sometimes fails when scanning a single port in aggresive timing Andres Marin Lopez (Oct 29)