Re: [Bug Report] Host order becoming important when using r00t

[Daniel Miller <bonsaiviking () gmail com>]

Jay, Jacek,

Thanks for the bug report! This was a tricky one, and should be solved in
r33373. It was introduced back in February 2013 when we started doing
better splitting of hosts into homogeneous hostgroups. Here's the commit
message for the fix:

    Hostgroups should have a common outgoing interface and source address,
    determined by target_needs_new_hostgroup. Source address for raw IP
    probes (sendIPScanProbe) is taken from the list of decoys (o.decoys),
    which always at least contains a "self" element at index o.decoyturn.
    This element was not being set while filling a hostgroup for massping,
    so it was using whatever the value from the last hostgroup had. This
    only matters when mixing targets that require different source
    addresses, as demonstrated by scanning localhost and some other address.

Dan


On Sun, Jul 27, 2014 at 10:53 AM, Jacek Wielemborek <d33tah () gmail com>
wrote:

> 27.07.2014 17:51, Jay Bosamiya:
> > Hi All!
> >
> > Just noticed this bug when testing: host order becomes important when
> > using root.
> >
> > To reproduce the bug: try running "sudo nmap scanme.nmap.org localhost
> > -sn" and "sudo nmap localhost scanme.nmap.org -sn".
> >
> > Logically, both should give the same result (except for ordering of
> > hosts in output). However, the first command works perfectly (shows both
> > hosts up), and the second commands takes a lot of time followed by
> > showing scanme.nmap.org as down.
> >
> > For reference, the output for both commands with -d9 is at [1] and [2].
> > (Run with latest svn trunk).
> >
> > Seems like the problem lies in some probes getting no response (in the
> > second ordering).
> >
> > Another interesting thing is that this problem comes up only when
> > running as root (either through sudo, or through root directly).
> >
> > I haven't tried tracing this bug since I'm currently working on the
> > --ignore-after option.
> >
> > If anyone figures out why this happens or wants to take this up, you're
> > welcome to work on it. :)
> >
> > Cheers,
> > Jay
> >
> > Links:
> > [1] http://pastebin.com/fP9xW4iw
> > [2] http://pastebin.com/1HUr8whT
> > _______________________________________________
> > Sent through the dev mailing list
> > http://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
>
> I confirm the bug. Here's a log I already sent to Jay before:
>
> > $ sudo ./nmap localhost scanme.nmap.org -sn -d9
> >
> > Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-27 16:34 CEST
> > The max # of sockets we are using is: 0
> > --------------- Timing report ---------------
> >   hostgroups: min 1, max 100000
> >   rtt-timeouts: init 1000, min 100, max 10000
> >   max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
> >   parallelism: min 0, max 0
> >   max-retries: 10, host-timeout: 0
> >   min-rate: 0, max-rate: 0
> > ---------------------------------------------
> > Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
> > mass_rdns: Using DNS server 217.113.224.35
> > mass_rdns: Using DNS server 217.113.224.134
> > Nmap scan report for localhost (127.0.0.1)
> > Host is up, received localhost-response TTL 0.
> > Other addresses for localhost (not scanned): 127.0.0.1
> > Fetchfile found /mnt/sda/d33tah/workspace/nmap/nmap/nmap-payloads
> > Initiating Ping Scan at 16:34
> > Scanning scanme.nmap.org (74.207.244.221) [4 ports]
> > Packet capture filter (device p5p1): dst host 172.16.1.2 and (icmp or
> icmp6 or ((tcp or udp or sctp) and (src host 74.207.244.221)))
> > SENT (0.0234s) ICMP [127.0.0.1 > 74.207.244.221 Echo request
> (type=8/code=0) id=65360 seq=0] IP [ver=4 ihl=5 tos=0x00 iplen=28 id=45145
> foff=0 ttl=46 proto=1 csum=0x1dda]
> > SENT (0.0235s) TCP [127.0.0.1:62654 > 74.207.244.221:443 S seq=
> 3869651658 ack=0 off=6 res=0 win=1024 csum=0xC58D urp=0 <mss 1460>] IP
> [ver=4 ihl=5 tos=0x00 iplen=44 id=47696 foff=0 ttl=50 proto=6 csum=0x0fce]
> > SENT (0.0236s) TCP [127.0.0.1:62654 > 74.207.244.221:80 A seq=0 ack=
> 3869651658 off=5 res=0 win=1024 csum=0xDEA6 urp=0] IP [ver=4 ihl=5
> tos=0x00 iplen=40 id=32009 foff=0 ttl=46 proto=6 csum=0x5119]
> > SENT (0.0236s) ICMP [127.0.0.1 > 74.207.244.221 Timestamp request
> (type=13/code=0) id=53271 seq=0 orig=0 recv=0 trans=0] IP [ver=4 ihl=5
> tos=0x00 iplen=40 id=63721 foff=0 ttl=47 proto=1 csum=0xd43d]
> > **TIMING STATS** (0.0237s): IP, probes
> active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
> >    Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
> >    74.207.244.221: 4/0/0/4/0/0 10.00/75/0 1000000/-1/-1
> > Current sending rates: 323.60 packets / s, 12296.74 bytes / s.
> > Overall sending rates: 323.60 packets / s, 12296.74 bytes / s.
> > **TIMING STATS** (1.0245s): IP, probes
> active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
> >    Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 1000000/-1/-1
> >    74.207.244.221: 0/0/0/4/4/0 10.00/75/0 1000000/-1/-1
> > Current sending rates: 3.95 packets / s, 150.03 bytes / s.
> > Overall sending rates: 3.95 packets / s, 150.03 bytes / s.
> > SENT (2.0255s) ICMP [127.0.0.1 > 74.207.244.221 Timestamp request
> (type=13/code=0) id=14658 seq=0 orig=0 recv=0 trans=0] IP [ver=4 ihl=5
> tos=0x00 iplen=40 id=7781 foff=0 ttl=44 proto=1 csum=0xb1c2]
> > SENT (2.0256s) TCP [127.0.0.1:62655 > 74.207.244.221:80 A seq=0 ack=
> 3869717195 off=5 res=0 win=1024 csum=0xDEA3 urp=0] IP [ver=4 ihl=5
> tos=0x00 iplen=40 id=35556 foff=0 ttl=51 proto=6 csum=0x3e3e]
> > SENT (2.0257s) TCP [127.0.0.1:62655 > 74.207.244.221:443 S seq=
> 3869717195 ack=0 off=6 res=0 win=1024 csum=0xC58A urp=0 <mss 1460>] IP
> [ver=4 ihl=5 tos=0x00 iplen=44 id=12621 foff=0 ttl=54 proto=6 csum=0x94d1]
> > SENT (2.0257s) ICMP [127.0.0.1 > 74.207.244.221 Echo request
> (type=8/code=0) id=18027 seq=0] IP [ver=4 ihl=5 tos=0x00 iplen=28 id=59499
> foff=0 ttl=44 proto=1 csum=0xe7c7]
> > **TIMING STATS** (2.0257s): IP, probes
> active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
> >    Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
> >    74.207.244.221: 4/0/0/8/0/0 10.00/75/0 1000000/-1/-1
> > Current sending rates: 3.97 packets / s, 150.91 bytes / s.
> > Overall sending rates: 3.97 packets / s, 150.91 bytes / s.
> > **TIMING STATS** (3.0265s): IP, probes
> active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
> >    Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 1000000/-1/-1
> >    74.207.244.221: 0/0/0/8/4/0 10.00/75/0 1000000/-1/-1
> > Current sending rates: 2.65 packets / s, 100.82 bytes / s.
> > Overall sending rates: 2.65 packets / s, 100.82 bytes / s.
> > ultrascan_host_probe_update called for machine 74.207.244.221 state
> UNKNOWN -> HOST_DOWN (trynum 1 time: 1003158)
> > ultrascan_host_probe_update called for machine 74.207.244.221 state
> HOST_DOWN -> HOST_DOWN (trynum 1 time: 1003066)
> > ultrascan_host_probe_update called for machine 74.207.244.221 state
> HOST_DOWN -> HOST_DOWN (trynum 1 time: 1003018)
> > ultrascan_host_probe_update called for machine 74.207.244.221 state
> HOST_DOWN -> HOST_DOWN (trynum 1 time: 1002965)
> > Moving 74.207.244.221 to completed hosts list with 4 outstanding probes.
> > * icmp type 8 code 0
> > * tcp to port 443; flags: S
> > * tcp to port 80; flags: A
> > * icmp type 13 code 0
> > Completed Ping Scan at 16:34, 3.02s elapsed (1 total hosts)
> > Overall sending rates: 2.65 packets / s, 100.75 bytes / s.
> > pcap stats: 0 packets received by filter, 0 dropped by kernel.
> > Nmap scan report for scanme.nmap.org (74.207.244.221) [host down,
> received no-response]
> > Read from /mnt/sda/d33tah/workspace/nmap/nmap: nmap-payloads.
> > Nmap done: 2 IP addresses (1 host up) scanned in 3.04 seconds
> >            Raw packets sent: 8 (304B) | Rcvd: 0 (0B)
>
> Note that Wireshark says that these probes got a response.
>
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/