RE: Extraports Bug?

["Rob Nicholls" <robert () robnicholls co uk>]

Thanks, that sounds plausible, I'll see if I can repeat it next week.
Although I didn't add it to the initial Nmap command, I think I pressed the
d key a few times during the scan to see what was going on (before
repeatedly pressing D to turn it off). I'm fairly sure it was back to the
equivalent of -d0 by the time the scan results were written to screen/files,
but I think I was increasing debugging during the NSE part of the scan, so
this might be why it happened.

Rob

-----Original Message-----
From: David Fifield [mailto:david () bamsoftware com] 
Sent: 13 May 2011 23:21
To: Rob Nicholls
Cc: Nmap dev
Subject: Re: Extraports Bug?

On Thu, May 12, 2011 at 05:28:26PM +0100, Rob Nicholls wrote:
> I was going through some port scan results from a recent penetration 
> test to try and identify why Kris' Ruby Nmap Parser was taking longer 
> than usual to process a file and spotted that the output was mostly 
> closed ports (in one example there were 30 open ports and no filtered 
> ports). I was expecting to see the 65505 closed ports, for example, 
> show up as an extraports entry in the XML file, but instead I had a 
> line per port (an extra 65k lines per host made the Nmap and XML 
> output files considerably larger than expected!).
>
> A similar scan a matter of hours later against hosts on another subnet 
> using the same 5.51 SVN version of Nmap returned:
> Not shown: 65502 closed ports
> Reason: 65502 resets
>
> The command I used was:
>
> nmap -vv --script "* and not *brute* and not broadcast and not *flood* 
> and not *fuzz* and not *snoop* and not *http-enum*" -n -Pn --reason 
> -p- -A -oA xxx_xxx_tcp_full_exclude_xxx -iL xxx.txt 
> --defeat-rst-ratelimit --min-hostgroup 64 --exclude xxx.xxx.xxx.xxx
>
> Does anyone have any idea why one set of files is normal (and small) 
> and the other is (huge and) full of individual closed ports? The only 
> obvious difference I can see is that I used --exclude on this bad 
> scan; but that doesn't seem to have made any difference when I ran a 
> quick test in the test lab (although the SVN version on a host in the 
> lab is probably slightly older). I'll try and do some more testing to 
> try and replicate the issue, but I was hoping someone else might have 
> seen this "lack of extraports" bug before?

Could have been a difference in debugging level? I think that extraports is
replaced by individual script records with -d2.

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/