Re: Good nmap timeout values for port scans of filtering hosts on local LAN

["Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>]

> From: Fyodor <fyodor () insecure org>
> Subject: Re: Good nmap timeout values for port scans of filtering hosts on local LAN
> To: H D Moore <hdm () secureaustin com>
> Cc: Alek Komarnitsky <alek () komar org>, nmap-dev () insecure org
>
> HOWEVER, the --max_rtt_timeout 50 should have made the scan a LOT
> faster.  You have uncovered a bug in Nmap.  Good find!  If
> --max_rtt_timeout is set to a lower value than the default
> initial_rtt_timeout, the latter value should be immediately reduced to
> the max_rtt_timeout.  I have fixed this for the next version of Nmap.
> Until that is released, people who use --max_rtt_timeout should also
> set --initial_rtt_timeout to the same value.
>
> [Announcing BETA29 Release]
> o Fixed portscan timing bug found by H D Moore (hdm () secureaustin com).
>   This bug can occur when you specify a --max_rtt_timeout but not
>   --initial_rtt_timeout and then scan certain firewalled hosts.


Ummmmmm ... I still swear something is "strange" with nmap scanning of 
filtered hosts and max_rtt_timeout doesn't quite behave correctly (?). 

For instance, I have two machines on the same ClassC subnet,
that has minimal traffic on it).  scanner-host is running Linux6.2 
and using the latest Beta29 release of nmap. scanned-host is running 
Linux7.1 and the only port open in the range of 50-100 is port 80 for httpd.
ping/traceroute shows rtt times of about 0.5 msec.


I've attached actual nmap outputs below, but if I do an nmap
with a max_rtt_timeout of 40 (milliseconds), the scan of 50 ports
takes 45 seconds and correctly reports only port 80 open. Ditto
if max_rtt_timeout is 50, 60, or no max_rtt_timeout is specified.

However, if I set it to 30, it responds in *1* second ... but
returns different port information ... so why when I moved
max_rtt_timeout down slightly did I see such a dramatic change?

alek


[alek@www docs]$ nmap --max_rtt_timeout 40 -p50-100 SCANNED-HOST
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Interesting ports on SCANNED-HOST
(The 50 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http
Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds


[alek@www docs]$ nmap --max_rtt_timeout 30 -p50-100 SCANNED-HOST
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Interesting ports on SCANNED-HOST
(The 43 ports scanned but not shown below are in state: filtered)
Port       State       Service
71/tcp     closed      netrjs-1
72/tcp     closed      netrjs-2
80/tcp     open        http
85/tcp     closed      mit-ml-dev
88/tcp     closed      kerberos-sec
91/tcp     closed      mit-dov
92/tcp     closed      npp
100/tcp    closed      newacct
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).