Nmap Development mailing list archives

Re: nmap scans on FreeBSD showing incorrect results

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 20 Sep 2017 23:17:01 -0500

Vincent,

Thanks for reporting this! Filtered port state can be caused by dropped
packets, though Nmap usually slows down and tries again if it determines
some packets are being dropped. I noticed that the two examples you gave of
incorrect results actually took less time to complete than the correct
ones. It's likely that Nmap just isn't slowing down quickly enough to catch
the replies it ought to.

Here's some diagnostic stuff I'd like to see from you, if you can:

1. Debug output with -d2 for an incorrect scan. Also add -n to skip the
reverse-DNS phase which can add noise to the total scan time.

2. Does slowing the scan down "fix" the incorrect results? Add -T2 to slow
it down. If this works, then it's most likely a timing or missed packets
issue.

3. Let us know if there's anything special about the network: virtual
machine (bridged, NAT, etc)? WiFi? Gigabit Ethernet? It's already very
helpful to know this affects multiple versions of Nmap and FreeBSD, but if
you find a version combination that *does* work, that's useful info as well.

Thanks. Hopefully we can fix it soon!
Dan

On Tue, Sep 19, 2017 at 8:11 PM, Vincent Stemen <vince.nmap () hightek org>
wrote:

Hi.

On FreeBSD 11.1 release I am getting inconsistent results from nmap version
7.40.  It is randomly showing some ports as filtered even though they are
not.
I am wondering if this could be a bug in nmap when running on FreeBSD.

For comparison, I ran nmap version 7.40 on Linux Debian 4.9.30 and I do not
have the problem.  It consistently correctly shows all unfiltered ports.

The host being scanned is running a packet filter firewall on FreeBSD 11.1.

I also ran a few of the same tests from a FreeBSD 10.3-RELEASE-p11 machine,
running nmap-7.12 and got similar inconsistent results.

On these tests, there are 5 unfiltered ports.
If it has been at least a minute or so since the last scan, it seems to
output
the correct results.

# nmap  -p 1000-1040  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.026s latency).
Not shown: 36 filtered ports
PORT     STATE  SERVICE
1000/tcp open   cadlock
1001/tcp open   webpush
1002/tcp closed windows-icfw
1003/tcp closed unknown
1004/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds

-------------------------------------

But if I run the scan again, I get random wrong results.

# nmap  -p 1000-1040  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.024s latency).
Not shown: 39 filtered ports
PORT     STATE  SERVICE
1000/tcp open   cadlock
1004/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds

????
This is outright wrong.
Why does it only show 2 unfiltered ports?
????

-------------------------------------

It is not consistant about which ports it shows as being unfiltered.

# nmap  -p 1000-1030  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:29 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.024s latency).
Not shown: 29 filtered ports
PORT     STATE  SERVICE
1001/tcp open   webpush
1002/tcp closed windows-icfw

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds

-------------------------------------

If I scan *no more* than 10 ports, it seems to always be correct.
From 15 on up it appears to get more and more inconsistant.

# nmap  -p 1000-1010  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:32 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.025s latency).
PORT     STATE    SERVICE
1000/tcp open     cadlock
1001/tcp open     webpush
1002/tcp closed   windows-icfw
1003/tcp closed   unknown
1004/tcp closed   unknown
1005/tcp filtered unknown
1006/tcp filtered unknown
1007/tcp filtered unknown
1008/tcp filtered ufsd
1009/tcp filtered unknown
1010/tcp filtered surf

Nmap done: 1 IP address (1 host up) scanned in 3.99 seconds

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap scans on FreeBSD showing incorrect results Vincent Stemen (Sep 19)
- Re: nmap scans on FreeBSD showing incorrect results Daniel Miller (Sep 20)
  - Re: nmap scans on FreeBSD showing incorrect results Vincent Stemen (Sep 21)