Vulnerability Development mailing list archives
Re: DOS on inetd w/ nmap
From: john.bock () MARCHFIRST COM (John Bock)
Date: Tue, 25 Apr 2000 10:04:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Perhaps there is a way to make nmap "low-and-slow"?
Have you tried using any of the timing options? - From the man page: TIMING OPTIONS Generally Nmap does a good job at adjusting for Network characteristics at runtime and scanning as fast as possible while minimizing that chances of hosts/ports going undetected. However, there are same cases where Nmap's default timing policy may not meet your objectives. The following options provide a fine level of control over the scan tim- ing: -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> These are canned timing policies for conveniently expressing your priorities to Nmap. Paranoid mode scans very slowly in the hopes of avoiding detec- tion by IDS systems. It serializes all scans (no parallel scanning) and generally waits at least 5 minutes between sending packets. Sneaky is simi- lar, except it only waits 15 seconds between send- ing packets. Polite is meant to ease load on the network and reduce the chances of crashing machines. It serializes the probes and waits at least 0.4 seconds between them. Normal is the default Nmap behaviour, which tries to run as quickly as possible without overloading the network or missing hosts/ports. Aggressive mode adds a 5 minute timeout per host and it never waits more than 1.25 seconds for probe responses. Insane is only suitable for very fast networks or where you don't mind losing some information. It times out hosts in 75 seconds and only waits 0.3 seconds for individual probes. It does allow for very quick network sweeps though :). You can also reference these by number (0-5). For example, '-T 0' gives you Paranoid mode and '-T 5' is Insane mode. Please respond to "Clifford, Shawn A" <shawn.a.clifford () LMCO COM> To: VULN-DEV () SECURITYFOCUS COM cc: (bcc: John Bock/Whittman-Hart LP) Subject: DOS on inetd w/ nmap Hi All, The problem is that inetd will abort when too many connections are made. This is an old problem that appears to still be a problem even on some newer OSes, specifically IRIX (*all* 6.2-6.5, others?), some HP-UX (B.10.20, but only on some machines... dunno why), and of course old SunOS 4.1.3/4.1.4 machines (only some!). You must then log on at the console (unless you had a remote window open to the machine prior to inetd exiting) and either restard inetd or reboot the machine. I was fiddling with the 'httpd_scan.pl' script that I posted a while back, which is predicated on NetCat for the port scanning and for sending http GETs to possible servers, when I thought I would substitute 'nmap' for 'nc' in my script. Nmap is about 4 times faster, as it turns out, for doing port scans, but it has this nasty side-effect. It also seems to be sending data, as it not only crashes inetd on IRIX, but it also crashes some service called 'sgi_fam' with an enormous amount of data. /var/adm/SYSLOG entry: Apr 5 18:30:43 3D:node famd: fd 10 message length 1212498244 bytes exceeds max of 1064. What's doubly annoying about this is that nmap is such a good tool, otherwise, and is being promoted by SANS as a tool of choice. Clearly crashing inetd isn't very subtle. Perhaps there is a way to make nmap "low-and-slow"? Although netcat is much slower, and doesn't have the fingerprinting capability of nmap, I will have to keep using 'nc' for my Web server scans. Regards, - -- Shawn -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBOQWzziwFkokFbeHBEQJ+AQCgrMOoU5z204xzb4UVQVG2nw0w+/wAoOqo 1U4SvutEhZtYk60y59s59FOy =XnxZ -----END PGP SIGNATURE-----
Current thread:
- Re: DOS on inetd w/ nmap Clifford, Shawn A (Apr 25)
- Re: DOS on inetd w/ nmap Ron DuFresne (Apr 25)
- Re: DOS on inetd w/ nmap Pete Philips (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Notes crashed Blue Boar (Apr 26)
- <Possible follow-ups>
- Re: DOS on inetd w/ nmap John Bock (Apr 25)