rpc-grind.nse timeout

[Pavel Kankovsky <kan () dcit cz>]

I scanned a large number of addresses with lots of open|filtered UDP ports 
with -sV --version-light and it seemed to me Nmap spent too much time in 
rpc-grind.nse.

It turns out rpc-grind.nse waits 30 seconds (the standard NSE timeout) for 
every response including its initial check whether the port is a Sun RPC 
service at all (isRPC)--as opposed to 5 seconds for (most) probes in 
nmap-service-probes.

To add insult to injury, it wastes time in isRPC even when all the ports 
have already been probed with RPCCheck and neither of them has responded.

I do not know how to make rpc-grind.nse aware of the (negative) results of 
service scan--and I do not even known whether it would be desirable--but I 
tried something else: I patched isRPC (see the attachment; I had to touch 
nselib/rpc.lua too) to time out after 5 seconds.

A very simplistic test perfomed on a tiny subsample of my original scan 
(one typical host, 100 TCP + 100 UDP ports) shows the patch reduces time 
needed to finish such scan from cca 210 seconds (55 in service scan, 150 
in NSE) to 105 seconds (45 in NSE).

Correct me if I am wrong but I suppose that 5 s timeout is good enough for 
rpc-grind.nse if it is good enough for various non-NSE service probes 
including RPCCheck.

--
Pavel Kankovsky

Attachment: nmap-6.47-rpc-grind-timeout.patch
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/