Nmap Development mailing list archives
Re: Good nmap timeout values for port scans of filtering hosts on local LAN
From: H D Moore <hdm () secureaustin com>
Date: Mon, 6 Aug 2001 14:11:26 -0500
If you already know your max rtt time, try setting your initial_rtt_timeout to something very small (like 5). The following tests show that no max timeout took about a minute, a max timeout of 50 took over two minutes, and a very small initial timeout plus a max timeout of 50 took _4_ seconds ;) The target in this case was a machine filtering everything but 22 on the LAN. sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) Host (192.168.0.65) appears to be up ... good. Initiating SYN Stealth Scan against (192.168.0.65) Adding open port 22/tcp The SYN Stealth Scan took 49 seconds to scan 100 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming that port 22 is open and port 30618 is closed and neither are firewalled Interesting ports on (192.168.0.65): (The 99 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86) OS Fingerprint: TSeq(Class=RI%gcd=2%SI=1EE615%IPID=Z%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) Uptime 1.199 days (since Sun Aug 5 13:09:58 2001) TCP Sequence Prediction: Class=random positive increments Difficulty=2024981 (Good luck!) TCP ISN Seq. Numbers: 96420653 9667CC5B 95E5977D 96953D9B 96A1081B 96D185EB IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 53 seconds real 0m53.308s user 0m0.090s sys 0m0.020s sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n --max_rtt_timeout=50 Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) Host (192.168.0.65) appears to be up ... good. Initiating SYN Stealth Scan against (192.168.0.65) Adding open port 22/tcp The SYN Stealth Scan took 122 seconds to scan 100 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming that port 22 is open and port 31261 is closed and neither are firewalled Interesting ports on (192.168.0.65): (The 99 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86) OS Fingerprint: TSeq(Class=RI%gcd=1%SI=21B201%IPID=Z%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) Uptime 1.201 days (since Sun Aug 5 13:09:58 2001) TCP Sequence Prediction: Class=random positive increments Difficulty=2208257 (Good luck!) TCP ISN Seq. Numbers: 9ED8CCD1 9F064703 9F23ABB7 9EB5DEB2 9E9B5AE5 IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 124 seconds real 2m3.978s user 0m0.080s sys 0m0.020s sliver:~ # time nmap -sS -p1-100 -v -v -O 192.168.0.65 -P0 -n --max_rtt_timeout=50 --initial_rtt_timeout=5 Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) Host (192.168.0.65) appears to be up ... good. Initiating SYN Stealth Scan against (192.168.0.65) Adding open port 22/tcp The SYN Stealth Scan took 3 seconds to scan 100 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming that port 22 is open and port 34637 is closed and neither are firewalled Interesting ports on (192.168.0.65): (The 99 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86) OS Fingerprint: TSeq(Class=RI%gcd=1%SI=197B2A%IPID=Z%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) Uptime 1.202 days (since Sun Aug 5 13:09:58 2001) TCP Sequence Prediction: Class=random positive increments Difficulty=1669930 (Good luck!) TCP ISN Seq. Numbers: A27DF379 A2CE22B0 A24361C6 A1E5AC5A A26CCB76 IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds real 0m4.427s user 0m0.070s sys 0m0.040s On Mon, 6 Aug 2001 10:31:22 -0600 Alek Komarnitsky <alek () komar org> wrote:
I thought this would be easy to fix ... simply crank down max_rtt_timeout; especially since all the machines are on the local LAN. However, setting this to 50 (milli-seconds) rather than the default 9000 didn't show any wall-time difference on a scan of 100 ports. If I set this to 5, nmap returned in a second or two ... but the results were quite variable and consistantly wrong on a few random ports.
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Good nmap timeout values for port scans of filtering hosts on local LAN Alek Komarnitsky (Aug 06)
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN H D Moore (Aug 06)
- <Possible follow-ups>
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN Alek O. Komarnitsky (N-CSC) (Aug 16)