Nmap Development mailing list archives
Re: [Pauldotcom] NMAP Discrepancies
From: Shinnok <admin () shinnok com>
Date: Tue, 21 Jun 2011 19:16:31 +0300
Thanks for the prompt response Michael, The trace you posted had the following results: -- Scanned at 2011-06-21 09:32:29 Central Daylight Time for 6s PORT STATE SERVICE REASON VERSION 3389/tcp open microsoft-rdp syn-ack Microsoft Terminal Service --- Which are the right results, I'll need a trace for the case where the service detection goes a mock. Regards, Shinnok On 06/21/2011 05:34 PM, Michael Lubinski wrote:
On Tue, Jun 21, 2011 at 8:59 AM, Shinnok <admin () shinnok com> wrote:Hi Michael, I've managed to take a look at the service discrepancies issue you experienced. I made a similar Windows setup just as yours in VMware and tested ms-rdp 3389 and I can't reproduce your behavior. The strange thing in your case is that Nmap should at least print "ms-term-serv" instead of "microsoft-rdp" if the "Microsoft Terminal Service" doesn't get identified by -sV, in the SERVICE column of the output. I'm going to need some more info from you in order to proceed with further investigation: I need the exact Nmap line that you use to scan and confirmation that you don't change that between scans.nmap -sS -sV -p1-65535 -d2 -oX scan-current.xml -iL c:\nmap\include.txt --excludefile c:\nmap\exclude.txtI will also ask you, if you can, to try and catch a scan that does print the wrong services or nothing at all with this nmap invocation: nmap -p3389 -PN -sV -vvvv -dddd --version-trace *your-host* And please attach the output to a reply e-mail. That output will at least show us if indeed it is a timeout issue or something else.At 8:00 this morning the scan reported the following; -3389/tcp open microsoft-rdp Microsoft Terminal Service +3389/tcp open ms-term-serv +21835/tcp open msrpc Microsoft Windows RPC -36710/tcp open msrpc Microsoft Windows RPC At 9:30 I performed the trace with the following results; ***WinIP*** trying to initialize WinPcap Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) NPF service is already running. Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-21 09:32 Central Daylight Time Fetchfile found C:\Program Files (x86)\Nmap\nmap-services The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found C:\Program Files (x86)\Nmap\nse_main.lua Fetchfile found C:\Program Files (x86)\Nmap\nselib/ Fetchfile found C:\Program Files (x86)\Nmap\scripts\script.db Fetchfile found C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\drda-info.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\iax2-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\netbus-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\pptp-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\wdb-version.nse NSE: Loaded 8 scripts for scanning. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\drda-info.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\iax2-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\netbus-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\pptp-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\wdb-version.nse'. doing 0.0.0.0 = 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-payloads Initiating ARP Ping Scan at 09:32 Scanning 192.168.1.10 [1 port] Packet capture filter (device eth6): arp and arp[18:4] = 0x001E0BB1 and arp[22:2] = 0xB3E8 SENT (1.3450s) ARP who-has 192.168.1.10 tell 192.168.1.122 **TIMING STATS** (1.3450s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1 192.168.1.10: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1 Current sending rates: 8.77 packets / s, 368.42 bytes / s. Overall sending rates: 8.77 packets / s, 368.42 bytes / s. RCVD (1.3450s) ARP reply 192.168.1.10 is-at F4:CE:46:B8:81:60 Found 192.168.1.10 in incomplete hosts list. ultrascan_host_probe_update called for machine 192.168.1.10 state UNKNOWN -> HOST_UP (trynum 0 time: 0) Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar: 5000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar: 5000 to: 100000 Changing ping technique for 192.168.1.10 to ARP Moving 192.168.1.10 to completed hosts list with 0 outstanding probes. Changing global ping host to 192.168.1.10. Completed ARP Ping Scan at 09:32, 0.11s elapsed (1 total hosts) Overall sending rates: 8.77 packets / s, 368.42 bytes / s. pcap stats: 2 packets received by filter, 0 dropped by kernel. mass_rdns: Using DNS server 192.168.1.10 mass_rdns: Using DNS server 192.168.1.10 NSOCK (1.3470s) UDP connection requested to 192.168.1.10:53 (IOD #1) EID 8 NSOCK (1.3470s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms) EID 18 NSOCK (1.3500s) UDP connection requested to 192.168.1.10:53 (IOD #2) EID 24 NSOCK (1.3500s) Read request from IOD #2 [192.168.1.10:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution of 1 host. at 09:32 mass_rdns: TRANSMITTING for <192.168.1.10> (server <192.168.1.10>) NSOCK (1.3500s) Write request for 43 bytes to IOD #1 EID 43 [192.168.1.10:53]: Z............10.1.168.192.in-addr.arpa..... NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:53] NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 24 [192.168.1.10:53] NSOCK (1.3500s) Callback: WRITE SUCCESS for EID 43 [192.168.1.10:53] NSOCK (1.3510s) Callback: READ SUCCESS for EID 18 [192.168.1.10:53] (120 bytes) NSOCK (1.3510s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms) EID 50 CAPACITY <192.168.1.10> = 12 mass_rdns: NXDOMAIN <id = 23288> mass_rdns: 0.01s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 09:32, 0.00s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 09:32 192.168.1.10 pingprobe type ARP is inappropriate for this scan type; resetting. Scanning 192.168.1.10 [1 port] Packet capture filter (device eth6): dst host 192.168.1.122 and (icmp or ((tcp or udp or sctp) and (src host 192.168.1.10))) SENT (1.3540s) TCP [192.168.1.122:47605 > 192.168.1.10:3389 S seq=86966497 ack=0 off=6 res=0 win=2048 csum=0x3F0F urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=14257 foff=0 ttl=53 proto=6 csum=0xca46] **TIMING STATS** (1.3540s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1 192.168.1.10: 1/0/0/1/0/0 10.00/75/0 100000/0/5000 Current sending rates: 333.33 packets / s, 14666.67 bytes / s. Overall sending rates: 333.33 packets / s, 14666.67 bytes / s. RCVD (1.3550s) TCP [192.168.1.10:3389 > 192.168.1.122:47605 SA seq=74024069 ack=86966498 off=6 res=0 win=8192 csum=0x9E0F urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=6342 flg=D foff=0 ttl=128 proto=6 csum=0x5e31] Found 192.168.1.10 in incomplete hosts list. Discovered open port 3389/tcp on 192.168.1.10 Timeout vals: srtt: 0 rttvar: 5000 to: 100000 delta 1000 ==> srtt: 125 rttvar: 4000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1000 ==> srtt: 1000 rttvar: 5000 to: 100000 Changing ping technique for 192.168.1.10 to tcp to port 3389; flags: S Moving 192.168.1.10 to completed hosts list with 0 outstanding probes. Changing global ping host to 192.168.1.10. Completed SYN Stealth Scan at 09:32, 0.00s elapsed (1 total ports) Overall sending rates: 250.00 packets / s, 11000.00 bytes / s. pcap stats: 2 packets received by filter, 0 dropped by kernel. Fetchfile found C:\Program Files (x86)\Nmap\nmap-service-probes Initiating Service scan at 09:32 Scanning 1 service on 192.168.1.10 Starting probes against new service: 192.168.1.10:3389 (tcp) NSOCK (1.4300s) TCP connection requested to 192.168.1.10:3389 (IOD #1) EID 8 NSOCK (1.4310s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:3389] Service scan sending probe NULL to 192.168.1.10:3389 (tcp) NSOCK (1.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout: 6000ms) EID 18 NSOCK (7.4310s) Callback: READ TIMEOUT for EID 18 [192.168.1.10:3389] Service scan sending probe TerminalServer to 192.168.1.10:3389 (tcp) NSOCK (7.4310s) Write request for 11 bytes to IOD #1 EID 27 [ 192.168.1.10:3389]: ........... NSOCK (7.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout: 5000ms) EID 34 NSOCK (7.4310s) Callback: WRITE SUCCESS for EID 27 [192.168.1.10:3389] NSOCK (7.4310s) Callback: READ SUCCESS for EID 34 [(null):65535] (11 bytes): .........4. Service scan match (Probe TerminalServer matched with TerminalServer): 192.168.1.10:3389 is microsoft-rdp. Version: |Microsoft Terminal Service||| Completed Service scan at 09:32, 6.00s elapsed (1 service on 1 host) Starting RPC scan against 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-rpc NSE: Starting runlevel 1 (of 1) scan. Nmap scan report for 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-mac-prefixes Host is up, received arp-response (0.00013s latency). Scanned at 2011-06-21 09:32:29 Central Daylight Time for 6s PORT STATE SERVICE REASON VERSION 3389/tcp open microsoft-rdp syn-ack Microsoft Terminal Service MAC Address: F4:CE:46:B8:81:60 (Hewlett Packard) Service Info: OS: Windows Final times for host: srtt: 125 rttvar: 4000 to: 100000 Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads nmap-rpc nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.46 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B)If you happen to stumble across a reproducible case in the process, please send details of that too. Thanks a bunch, Shinnok On 06/06/2011 08:27 PM, Michael Lubinski wrote:Responded in-line below. This will also happen with the followingpairingsbelow. Maybe the service probe timeout is on par? -88/tcp open kerberos-sec Microsoft Windows kerberos-sec +88/tcp open tcpwrapped -464/tcp open kpasswd5 +464/tcp open tcpwrapped -11099/tcp open apc-agent APC PowerChute agent +11099/tcp open unknown -11100/tcp open apc-agent APC PowerChute agent +11100/tcp open unknown -464/tcp open +464/tcp open tcpwrapped On Mon, Jun 6, 2011 at 7:41 AM, Shinnok <admin () shinnok com> wrote:On Mon, Jun 6, 2011 at 3:27 PM, Shinnok <admin () shinnok com> wrote:Hi, Don't service probes have a certain timeout for the probe response? If so then big service latency could cause that exact mismatch also. Brief grepping revealed the following in service_scan.h: #define DEFAULT_SERVICEWAITMS 5000 Which should be enough imho, if that's the right timeout value. Does that value get dynamically adjusted along the scan? Another reason could be that some services have resuming state capabilities or don't recover that well upon sudden termination of a connection, which means that the subsequent timely scans would get unexpected results for the service probes.As you probably noticed, my comment assumes that there is nothing wrong with the service code, however, given a reproducible case that I can poke at, I am glad to take a look at the issue. For eg, for the microsoft-rdp case I would need Windows Version,Server 2008 R2 EnterpriseService Pack version, MSRDP client version,RDP Ver 6.1.7600Nmap version and on which subsequent scan does Nmap stop reporting the Service for the port(the last requirement must be somewhat reproducible).Nmap 5.5.1Thanks, -- Shinnok <http://shinnok.com>
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [Pauldotcom] NMAP Discrepancies Ron (Jun 01)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 06)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 06)
- Re: [Pauldotcom] NMAP Discrepancies Michael Lubinski (Jun 06)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 21)
- Re: [Pauldotcom] NMAP Discrepancies Michael Lubinski (Jun 21)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 21)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 06)
- Re: [Pauldotcom] NMAP Discrepancies Shinnok (Jun 06)