Re: [Pauldotcom] NMAP Discrepancies

[Shinnok <admin () shinnok com>]

Hi,

Don't service probes have a certain timeout for the probe response? If
so then big service latency could cause that exact mismatch also.

Brief grepping revealed the following in service_scan.h:
#define DEFAULT_SERVICEWAITMS 5000
Which should be enough imho, if that's the right timeout value. Does
that value get dynamically adjusted along the scan?

Another reason could be that some services have resuming state
capabilities or don't recover that well upon sudden termination of a
connection, which means that the subsequent timely scans would get
unexpected results for the service probes.


On Thu, Jun 2, 2011 at 1:54 AM, Ron <ron () skullsecurity net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 23 May 2011 08:22:58 -0500 Michael Lubinski <michael.lubinski () gmail com> wrote:
> > Anybody know why NMAP reports differences every so often with the
> > same port. E.g.
> >
> > -3389/tcp  open  microsoft-rdp Microsoft Terminal Service
> > +3389/tcp  open
> >
> > The same scan is run every time, sometimes it displays the service
> > (using the -sV switch) and sometimes not?
>
> Cross-posting to Nmap-dev.
>
> My suspicion is that the service itself doesn't always return a banner properly.
>
> Ron
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
>
> iEYEARECAAYFAk3mw0UACgkQ2t2zxlt4g/QDZACeIB3gL2826Ecc8YWLh3rQgmF5
> BxoAn3ub5t0QvfVmkF3mFPX8PlK1mdTH
> =9P+i
> -----END PGP SIGNATURE-----
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


-- 

Shinnok <http://shinnok.com>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/