Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Pauldotcom] NMAP Discrepancies

From: Michael Lubinski <michael.lubinski () gmail com>
Date: Tue, 21 Jun 2011 09:34:11 -0500
On Tue, Jun 21, 2011 at 8:59 AM, Shinnok <admin () shinnok com> wrote:


Hi Michael,

I've managed to take a look at the service discrepancies issue you
experienced. I made a similar Windows setup just as yours in VMware and
tested ms-rdp 3389 and I can't reproduce your behavior.

The strange thing in your case is that Nmap should at least print
"ms-term-serv" instead of "microsoft-rdp" if the "Microsoft Terminal
Service" doesn't get identified by -sV, in the SERVICE column of the
output.

I'm going to need some more info from you in order to proceed with
further investigation:

I need the exact Nmap line that you use to scan and confirmation that
you don't change that between scans.



nmap -sS -sV -p1-65535 -d2 -oX scan-current.xml -iL c:\nmap\include.txt
--excludefile c:\nmap\exclude.txt



I will also ask you, if you can, to try and catch a scan that does print
the wrong services or nothing at all with this nmap invocation:

nmap -p3389 -PN -sV -vvvv -dddd --version-trace *your-host*

And please attach the output to a reply e-mail. That output will at
least show us if indeed it is a timeout issue or something else.



At 8:00 this morning the scan reported the following;

-3389/tcp  open  microsoft-rdp Microsoft Terminal Service

+3389/tcp  open  ms-term-serv

+21835/tcp open  msrpc         Microsoft Windows RPC

-36710/tcp open  msrpc         Microsoft Windows RPC


At 9:30 I performed the trace with the following results;

***WinIP***  trying to initialize WinPcap

Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008)

NPF service is already running.


Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-21 09:32 Central Daylight
Time

Fetchfile found C:\Program Files (x86)\Nmap\nmap-services

The max # of sockets we are using is: 0

--------------- Timing report ---------------

  hostgroups: min 1, max 100000

  rtt-timeouts: init 1000, min 100, max 10000

  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

  parallelism: min 0, max 0

  max-retries: 10, host-timeout: 0

  min-rate: 0, max-rate: 0

---------------------------------------------

Fetchfile found C:\Program Files (x86)\Nmap\nse_main.lua

Fetchfile found C:\Program Files (x86)\Nmap\nselib/

Fetchfile found C:\Program Files (x86)\Nmap\scripts\script.db

Fetchfile found C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\drda-info.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\iax2-version.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\netbus-version.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\pptp-version.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse

Fetchfile found C:\Program Files (x86)\Nmap\scripts\wdb-version.nse

NSE: Loaded 8 scripts for scanning.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\drda-info.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\iax2-version.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\netbus-version.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\pptp-version.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse'.

NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\wdb-version.nse'.

doing 0.0.0.0 = 192.168.1.10

Fetchfile found C:\Program Files (x86)\Nmap\nmap-payloads

Initiating ARP Ping Scan at 09:32

Scanning 192.168.1.10 [1 port]

Packet capture filter (device eth6): arp and arp[18:4] = 0x001E0BB1 and
arp[22:2] = 0xB3E8

SENT (1.3450s) ARP who-has 192.168.1.10 tell 192.168.1.122

**TIMING STATS** (1.3450s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/

   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1

   192.168.1.10: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1

Current sending rates: 8.77 packets / s, 368.42 bytes / s.

Overall sending rates: 8.77 packets / s, 368.42 bytes / s.

RCVD (1.3450s) ARP reply 192.168.1.10 is-at F4:CE:46:B8:81:60

Found 192.168.1.10 in incomplete hosts list.

ultrascan_host_probe_update called for machine 192.168.1.10 state UNKNOWN ->
HOST_UP (trynum 0 time: 0)

Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar:
5000 to: 100000

Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar:
5000 to: 100000

Changing ping technique for 192.168.1.10 to ARP

Moving 192.168.1.10 to completed hosts list with 0 outstanding probes.

Changing global ping host to 192.168.1.10.

Completed ARP Ping Scan at 09:32, 0.11s elapsed (1 total hosts)

Overall sending rates: 8.77 packets / s, 368.42 bytes / s.

pcap stats: 2 packets received by filter, 0 dropped by kernel.

mass_rdns: Using DNS server 192.168.1.10

mass_rdns: Using DNS server 192.168.1.10

NSOCK (1.3470s) UDP connection requested to 192.168.1.10:53 (IOD #1) EID 8

NSOCK (1.3470s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms)
EID 18

NSOCK (1.3500s) UDP connection requested to 192.168.1.10:53 (IOD #2) EID 24

NSOCK (1.3500s) Read request from IOD #2 [192.168.1.10:53] (timeout: -1ms)
EID 34

Initiating Parallel DNS resolution of 1 host. at 09:32

mass_rdns: TRANSMITTING for <192.168.1.10> (server <192.168.1.10>)

NSOCK (1.3500s) Write request for 43 bytes to IOD #1 EID 43 [192.168.1.10:53]:
Z............10.1.168.192.in-addr.arpa.....

NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:53]

NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 24 [192.168.1.10:53]

NSOCK (1.3500s) Callback: WRITE SUCCESS for EID 43 [192.168.1.10:53]

NSOCK (1.3510s) Callback: READ SUCCESS for EID 18 [192.168.1.10:53] (120
bytes)

NSOCK (1.3510s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms)
EID 50

CAPACITY <192.168.1.10> = 12

mass_rdns: NXDOMAIN <id = 23288>

mass_rdns: 0.01s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

Completed Parallel DNS resolution of 1 host. at 09:32, 0.00s elapsed

DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0,
SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 09:32

192.168.1.10 pingprobe type ARP is inappropriate for this scan type;
resetting.

Scanning 192.168.1.10 [1 port]

Packet capture filter (device eth6): dst host 192.168.1.122 and (icmp or
((tcp or udp or sctp) and (src host 192.168.1.10)))

SENT (1.3540s) TCP [192.168.1.122:47605 > 192.168.1.10:3389 S seq=86966497
ack=0 off=6 res=0 win=2048 csum=0x3F0F urp=0 <mss 1460>] IP [ver=4 ihl=5
tos=0x00 iplen=44 id=14257 foff=0 ttl=53 proto=6 csum=0xca46]

**TIMING STATS** (1.3540s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/

   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1

   192.168.1.10: 1/0/0/1/0/0 10.00/75/0 100000/0/5000

Current sending rates: 333.33 packets / s, 14666.67 bytes / s.

Overall sending rates: 333.33 packets / s, 14666.67 bytes / s.

RCVD (1.3550s) TCP [192.168.1.10:3389 > 192.168.1.122:47605 SA seq=74024069
ack=86966498 off=6 res=0 win=8192 csum=0x9E0F urp=0 <mss 1460>] IP [ver=4
ihl=5 tos=0x00 iplen=44 id=6342 flg=D foff=0 ttl=128 proto=6 csum=0x5e31]

Found 192.168.1.10 in incomplete hosts list.

Discovered open port 3389/tcp on 192.168.1.10

Timeout vals: srtt: 0 rttvar: 5000 to: 100000 delta 1000 ==> srtt: 125
rttvar: 4000 to: 100000

Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1000 ==> srtt: 1000
rttvar: 5000 to: 100000

Changing ping technique for 192.168.1.10 to tcp to port 3389; flags: S

Moving 192.168.1.10 to completed hosts list with 0 outstanding probes.

Changing global ping host to 192.168.1.10.

Completed SYN Stealth Scan at 09:32, 0.00s elapsed (1 total ports)

Overall sending rates: 250.00 packets / s, 11000.00 bytes / s.

pcap stats: 2 packets received by filter, 0 dropped by kernel.

Fetchfile found C:\Program Files (x86)\Nmap\nmap-service-probes

Initiating Service scan at 09:32

Scanning 1 service on 192.168.1.10

Starting probes against new service: 192.168.1.10:3389 (tcp)

NSOCK (1.4300s) TCP connection requested to 192.168.1.10:3389 (IOD #1) EID 8

NSOCK (1.4310s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:3389]

Service scan sending probe NULL to 192.168.1.10:3389 (tcp)

NSOCK (1.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout:
6000ms) EID 18

NSOCK (7.4310s) Callback: READ TIMEOUT for EID 18 [192.168.1.10:3389]

Service scan sending probe TerminalServer to 192.168.1.10:3389 (tcp)

NSOCK (7.4310s) Write request for 11 bytes to IOD #1 EID 27 [
192.168.1.10:3389]: ...........

NSOCK (7.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout:
5000ms) EID 34

NSOCK (7.4310s) Callback: WRITE SUCCESS for EID 27 [192.168.1.10:3389]

NSOCK (7.4310s) Callback: READ SUCCESS for EID 34 [(null):65535] (11 bytes):
.........4.

Service scan match (Probe TerminalServer matched with TerminalServer):
192.168.1.10:3389 is microsoft-rdp.  Version: |Microsoft Terminal Service|||

Completed Service scan at 09:32, 6.00s elapsed (1 service on 1 host)

Starting RPC scan against 192.168.1.10

Fetchfile found C:\Program Files (x86)\Nmap\nmap-rpc

NSE: Starting runlevel 1 (of 1) scan.

Nmap scan report for 192.168.1.10

Fetchfile found C:\Program Files (x86)\Nmap\nmap-mac-prefixes

Host is up, received arp-response (0.00013s latency).

Scanned at 2011-06-21 09:32:29 Central Daylight Time for 6s

PORT     STATE SERVICE       REASON  VERSION

3389/tcp open  microsoft-rdp syn-ack Microsoft Terminal Service

MAC Address: F4:CE:46:B8:81:60 (Hewlett Packard)

Service Info: OS: Windows

Final times for host: srtt: 125 rttvar: 4000  to: 100000


Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads
nmap-rpc nmap-service-probes nmap-services.

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.46 seconds

           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)





If you happen to stumble across a reproducible case in the process,
please send details of that too.


Thanks a bunch,
Shinnok

On 06/06/2011 08:27 PM, Michael Lubinski wrote:

Responded in-line below. This will also happen with the following

pairings

below. Maybe the service probe timeout is on par?

-88/tcp open  kerberos-sec Microsoft Windows kerberos-sec
+88/tcp open  tcpwrapped

-464/tcp   open  kpasswd5
+464/tcp   open  tcpwrapped

-11099/tcp open  apc-agent APC PowerChute agent
+11099/tcp open  unknown

-11100/tcp open  apc-agent APC PowerChute agent
+11100/tcp open  unknown

-464/tcp open
+464/tcp open  tcpwrapped

On Mon, Jun 6, 2011 at 7:41 AM, Shinnok <admin () shinnok com> wrote:


On Mon, Jun 6, 2011 at 3:27 PM, Shinnok <admin () shinnok com> wrote:

Hi,

Don't service probes have a certain timeout for the probe response? If
so then big service latency could cause that exact mismatch also.

Brief grepping revealed the following in service_scan.h:
#define DEFAULT_SERVICEWAITMS 5000
Which should be enough imho, if that's the right timeout value. Does
that value get dynamically adjusted along the scan?

Another reason could be that some services have resuming state
capabilities or don't recover that well upon sudden termination of a
connection, which means that the subsequent timely scans would get
unexpected results for the service probes.



As you probably noticed, my comment assumes that there is nothing
wrong with the service code, however, given a reproducible case that I
can poke at, I am glad to take a look at the issue.
For eg, for the microsoft-rdp case I would need Windows Version,



Server 2008 R2 Enterprise



Service Pack version, MSRDP client version,



RDP Ver 6.1.7600



Nmap version and on which
subsequent scan does Nmap stop reporting the Service for the port(the
last requirement must be somewhat reproducible).



Nmap 5.5.1



Thanks,

--

Shinnok <http://shinnok.com>







_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: