Nmap Development mailing list archives

nmap hang due to bind failed

From: "泰森" <24123782 () qq com>
Date: Thu, 15 Jan 2015 13:31:24 +0800

Hi, all:
   First, I'm not sure if somebody has reported this issue. 
   When I use nmap 6.47 to scan my hosts, sometimes nmap never quit. 
   Here is my command: nmap -Pn -O -sT -sV --version-intensity 4 10.18.209.151 -e eth1 -T 3 --max-retries 5 --min-rate 
250 --min-parallelism 100 -n -oX /tmp/logs/nmap_test.log --open
‍ 
  Here are some parts of nmap output:


  NSOCK ERROR [80.7190s] mksock_bind_addr(): Bind to 0.0.0.0:443 failed (IOD #15): Address already in use (98)


Nmap scan report for 10.18.209.151
Host is up (0.00062s latency).
Not shown: 525 closed ports, 448 filtered ports
PORT      STATE SERVICE          VERSION
7/tcp     open  echo
9/tcp     open  discard?
13/tcp    open  daytime          Sun Solaris daytime
19/tcp    open  chargen
21/tcp    open  ftp              Solaris ftpd
22/tcp    open  ssh              SunSSH 1.0 (protocol 2.0)
23/tcp    open  telnet           Sun Solaris telnetd
37/tcp    open  time             (32 bits)
79/tcp    open  finger           Sun Solaris fingerd
111/tcp   open  rpcbind          2-4 (RPC #100000)
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  tcpwrapped
515/tcp   open  printer          Sun Solaris lpd
4045/tcp  open  nlockmgr         1-4 (RPC #100021)
5987/tcp  open  wbem-rmi?
6112/tcp  open  tcpwrapped
7100/tcp  open  font-service     Sun Solaris fs.auto
32771/tcp open  ttdbserverd      1 (RPC #100083)
32772/tcp open  kcms_server      1 (RPC #100221)
32773/tcp open  metad            1 (RPC #100229)
32774/tcp open  metamhd          1 (RPC #100230)
32775/tcp open  rpc.metamedd     1 (RPC #100242)
32776/tcp open  rusersd          2-3 (RPC #100002)
32777/tcp open  status           1 (RPC #100024)
32780/tcp open  sometimes-rpc23?
32781/tcp open  dmispd           1 (RPC #300598)
MAC Address: 00:50:56:A2:00:34 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=4%D=3/14%OT=7%CT=1%CU=34485%PV=Y%DS=1%DC=D%G=Y%M=005056%TM
OS:=550446DB%P=i686-pc-linux-gnu)SEQ(SP=AB%GCD=2%ISR=B4%CI=I%II=I%TS=7)OPS(
OS:O1=NNT11M5B4NW1NNS%O2=NNT11M5B4NW1NNS%O3=NNT11M5B4NW1%O4=NNT11M5B4NW1NNS
OS:%O5=NNT11M5B4NW1NNS%O6=NNT11M5B4NNS)WIN(W1=8218%W2=8220%W3=80CA%W4=80F4%
OS:W5=80F4%W6=FFF7)ECN(R=Y%DF=Y%T=3C%W=8052%O=M5B4NW1NNS%CC=Y%Q=)T1(R=Y%DF=
OS:Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)


Network Distance: 1 hop
Service Info: Host: bjtest; OS: Solaris; CPE: cpe:/o:sun:sunos


OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.73 seconds


Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 22:34 CST


NSOCK ERROR [71.9130s] mksock_bind_addr(): Bind to 0.0.0.0:443 failed (IOD #45): Address already in use (98)


nmap will stay here and never quit.
when I use strace to watch, it output following:


epoll_wait(4, {}, 128, 50)              = 0
gettimeofday({1426344410, 914303}, NULL) = 0
gettimeofday({1426344410, 914336}, NULL) = 0
gettimeofday({1426344410, 914408}, NULL) = 0
epoll_wait(4, {}, 128, 50)              = 0
gettimeofday({1426344410, 965273}, NULL) = 0
gettimeofday({1426344410, 965295}, NULL) = 0
gettimeofday({1426344410, 965335}, NULL) = 0
epoll_wait(4, {}, 128, 50)              = 0
gettimeofday({1426344411, 17302}, NULL) = 0
gettimeofday({1426344411, 17326}, NULL) = 0
gettimeofday({1426344411, 17362}, NULL) = 0
epoll_wait(4, {}, 128, 50)              = 0
gettimeofday({1426344411, 68253}, NULL) = 0
gettimeofday({1426344411, 68276}, NULL) = 0
gettimeofday({1426344411, 68308}, NULL) = 0
epoll_wait(4, {}, 128, 50)              = 0
gettimeofday({1426344411, 119264}, NULL) = 0
gettimeofday({1426344411, 119288}, NULL) = 0
gettimeofday({1426344411, 119359}, NULL) = 0‍



I also use gdb to attach nmap process:
#0  0xb7736424 in __kernel_vsyscall ()
#1  0xb72d5098 in epoll_wait () from /lib/libc.so.6
#2  0x08106870 in epoll_loop (nsp=0x8bcc000, msec_timeout=50) at engine_epoll.c:302
#3  0x080ffde4 in nsock_engine_loop (msec_timeout=<optimized out>, nsp=<optimized out>) at nsock_internal.h:423
#4  nsock_loop (nsp=0x8bcc000, msec_timeout=50) at nsock_core.c:935
#5  0x080efb18 in l_loop (L=0x8bc7db0) at nse_nsock.cc:423
#6  0x081222c7 in luaD_precall (L=0x8bc7db0, func=0x8cfaed8, nresults=<optimized out>) at ldo.c:319
#7  0x0812bfb1 in luaV_execute (L=0x8bc7db0) at lvm.c:709
#8  0x08122598 in luaD_call (L=0x8bc7db0, func=0x8bf4368, nResults=0, allowyield=0) at ldo.c:402
#9  0x0811f85f in lua_callk (L=0x8bc7db0, nargs=2, nresults=0, ctx=0, k=0x80) at lapi.c:905
#10 0x080ebf88 in run_main (L=0x8bc7db0) at nse_main.cc:647
#11 0x081222c7 in luaD_precall (L=0x8bc7db0, func=0x8bf4358, nresults=<optimized out>) at ldo.c:319
#12 0x08122568 in luaD_call (L=0x8bc7db0, func=0x8bf4358, nResults=0, allowyield=0) at ldo.c:401
#13 0x0811f819 in f_call (L=0x8bc7db0, ud=0xbf847e58) at lapi.c:923
#14 0x08121745 in luaD_rawrunprotected (L=0x8bc7db0, f=0x811f7f0 <f_call>, ud=0xbf847e58) at ldo.c:131
#15 0x081217b6 in luaD_pcall (L=0x8bc7db0, func=0x811f7f0 <f_call>, u=0xbf847e58, old_top=16, ef=8) at ldo.c:603
#16 0x0811f74f in lua_pcallk (L=0x8bc7db0, nargs=1, nresults=0, errfunc=1, ctx=0, k=0x0) at lapi.c:949
#17 0x080ebcaf in script_scan (targets=..., scantype=SCRIPT_SCAN) at nse_main.cc:805
#18 0x080938d2 in nmap_main (argc=22, argv=0xbf848c64) at nmap.cc:1995
#19 0x08088ea9 in main (argc=22, argv=0xbf848c64) at main.cc:229
(gdb) quit
A debugging session is active.


        Inferior 1 [process 888] will be detached.


Quit anyway? (y or n) y
Detaching from program: /bin/nmap, process 888‍





It seems that nmap want to bind port 443 and failed (because I have a apache running on port 443),  is this lead to 
nmap hang?
why nmap use port 443 for binding?


Any suggestion is welcome, thanks!


Ricky

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap hang due to bind failed 泰森 (Jan 14)
- Re: nmap hang due to bind failed Daniel Miller (Jan 14)
  - Message not available
    - Re: nmap hang due to bind failed Daniel Miller (Jan 15)
    - Message not available
    - Re: nmap hang due to bind failed Daniel Miller (Jan 15)
    - 回复： nmap hang due to bind failed 泰森 (Jan 18)