Re: what trickery can nmap take 20 hours to scan 1 host!!

[Hari Sekhon <hpsekhon () googlemail com>]

thanks for your replies guys, I am aware of timing setting, I usually 
use -T4 locally but leave -T3 for cross internet.

I had a peak at the that url regarding chaos tables. It looks 
interesting but it doesn't explain how it foils port scanners.

Also, isn't nmap just supposed to give up and move on to the next port 
if it doesn't get a response?

If it does get a response then it should move straight on to the next 
port since it doesn't need to reply, therefore tarpit persist tricks 
don't work (I know I've tried scanning a tarpit of mine I scanned all 
65535 ports in seconds cos the time wasting packets were ignored in the 
syn scan)

I'm still at a bit of a loss here.

I suppose it's possible that a bot ridden computer didn't have the 
resources to respond, but I would still expect nmap to move on after a 
little time, hence it should never take 20 hours to scan 1 host...

-h

Hari Sekhon



Jan Engelhardt wrote:
> On Apr 21 2007 12:14, DePriest, Jason R. wrote:
>   
> > On 4/21/07, Jan Engelhardt  wrote:
> >     
> > > On Apr 20 2007 12:48, DePriest, Jason R. wrote:
> > >       
> > > > > I have run nmap against a host who was trying to do something funny to
> > > > > one of my machines
> > > > >
> > > > > nmap -sS -P0 -O x.x.x.x -p-
> > > > >
> > > > > Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 15:08 BST
> > > > > Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
> > > > > Stealth Scan
> > > > > SYN Stealth Scan Timing: About 0.29% done
> > > > > Stats: 4:21:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
> > > > > Stealth Scan
> > > > > SYN Stealth Scan Timing: About 11.75% done; ETC: 07:45 (14:39:55 remaining)
> > > > > caught SIGINT signal, cleaning up
> > > > >
> > > > > I have run tarpits and but here I am running a SYN scan so it's
> > > > > shouldn't catch it.
> > > > > If I scan a host that doesn't exist on my local subnet like
> > > > >
> > > > >  nmap -sS -P0 -O 192.168.x.x -p-
> > > > >
> > > > > Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 18:22 BST
> > > > > Nmap finished: 1 IP address (0 hosts up) scanned in 0.317 seconds
> > > > >
> > > > > So it doesn't have any problem when the host doesn't respond, and if I
> > > > > have a tarpit, the ACK from the SYN scan is all it cares about and
> > > > > immediately moves on (I can scan 65535 ports on a tarpitted host in SYN
> > > > > mode instantly). So in a SYN scan, tarpit tricks don't work to make the
> > > > > originator keep retrying, so what is up with this remote host?
> > > > >
> > > > > What can make nmap hang so badly that it would take nearly 20 hours to
> > > > > scan all the ports?
> > > > > This must be some counter scan technology or something.
> > > > >           
> > > http://jengelh.hopto.org/p/chaostables/ for example...
> > > 1024 ports in about 2 minutes -- but only when using `nmap -T5` (decreased
> > > result reliablility).
> > > Scales linearly with more ports, e.g. 64K ports = 128 minutes.
> > >
> > > And expect nmap to take a LOT longer in the default -T3.
> > >       
> > I can accurately scan all 65535 TCP ports on a typical non-firewalled
> > Windows host one or two hops away in under 10 minutes.  UDP ports are
> > hit or miss...
> >     
>
> What does that have to do with it?
>
>
> Jan
>   

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org