Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: what trickery can nmap take 20 hours to scan 1 host!!

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Fri, 20 Apr 2007 12:48:21 -0500
On 4/19/07, Hari Sekhon  wrote:

I have run nmap against a host who was trying to do something funny to
one of my machines

nmap -sS -P0 -O x.x.x.x -p-

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 15:08 BST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 0.29% done
Stats: 4:21:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 11.75% done; ETC: 07:45 (14:39:55 remaining)
caught SIGINT signal, cleaning up

I have run tarpits and but here I am running a SYN scan so it's
shouldn't catch it.
If I scan a host that doesn't exist on my local subnet like

 nmap -sS -P0 -O 192.168.x.x -p-

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 18:22 BST
Nmap finished: 1 IP address (0 hosts up) scanned in 0.317 seconds

So it doesn't have any problem when the host doesn't respond, and if I
have a tarpit, the ACK from the SYN scan is all it cares about and
immediately moves on (I can scan 65535 ports on a tarpitted host in SYN
mode instantly). So in a SYN scan, tarpit tricks don't work to make the
originator keep retrying, so what is up with this remote host?

What can make nmap hang so badly that it would take nearly 20 hours to
scan all the ports?
This must be some counter scan technology or something.

-h

--
Hari Sekhon


If the system was compromised by a worm or bot, is it possible that it
just didn't have enough sockets, bandwidth, CPU, or memory to respond
to your nmap scan in a timely manner?

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: