Re: XML output incomplete

[David Fifield <david () bamsoftware com>]

On Fri, Sep 04, 2020 at 10:23:35AM +0100, Owen Mooney wrote:
> Normal output below:
>
> # Nmap 7.80 scan initiated Fri Sep  4 09:49:26 2020 as: nmap -T5 -sU -sS -PS22,80,443,445,3389,135,139 -PU53,161 -PE 
> --traceroute -sV -oN normal.txt -oX xml.xml 172.17.0.2
> Warning: 172.17.0.2 giving up on port because retransmission cap hit (2).
> Nmap scan report for 172.17.0.2
> Host is up (0.00017s latency).
> Skipping host 172.17.0.2 due to host timeout
> Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
> # Nmap done at Fri Sep  4 10:04:32 2020 -- 1 IP address (1 host up) scanned in 905.65 seconds
>
> No mention of port 80 open, however the "Skipping host..." line might be a
> clue. Is it possible that a host can be skipped after some ports have already
> been found open? 
> I have attached the pcap file to this email for reference. It shows that Nmap
> generated a SYN to port 80 and got an ACK in response, and then sent a http
> request further on in the scan. 

Okay, this explains it. Unfortunately, when a host reaches the host
timeout, it discards all partial scan results.

https://nmap.org/book/man-performance.html
        A host that times out is skipped. No port table, OS detection,
        or version detection results are printed for that host.

The host timeout with -T5 is 900 seconds, which you can see was
exceeded: "1 IP address (1 host up) scanned in 905.65 seconds".
https://nmap.org/book/performance-timing-templates.html

It's unusual for -sV to take 900 seconds for a single host. You can try
--version-trace to watch what -sV is doing. -T5 may be too aggressive
for this host. Alternatively, you can specify -T5 and longer
--host-timeout together, I think.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/