Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Suspect that --host-timeout is not working in 4.50?
From: doug () hcsw org
Date: Fri, 21 Dec 2007 14:04:00 -0800

On Thu, Dec 20, 2007 at 10:44:42PM -0800 or thereabouts, Fyodor wrote:
Each host has a clock you'll see if
you look at how it is done in the other parts of Nmap.

Of course you're right about this. The moral: don't send
late-night patches without thinking them through. :)

How about the attached patch? I think it should do what
we want. It starts the host clocks as soon as NSE puts them
into waiting_scripts and stops them as soon as it calls
process_finalize() on the last script associated with that
host. In nse_mainloop() it checks each script to see if its
target has timedOut() and, if so, terminates the script with
a LUA_ERRRUN (maybe there is a better error code that can be
used, I dunno??).

Here is an annotated example run:


[Running it with a hostgroup of 1. Using a timeout of 6.3 seconds
 because version detection against (most) webservers takes at least
 6 seconds because that is how long for the NULL probe to timeout]

$ ./nmap -v -P0 --host-timeout 6300 --max-hostgroup 1 -n --script=showHTMLTitle.nse -sV -p 80 192.168.123.1 google.com
host-timeout is given in milliseconds, so you specified less than 15 seconds (6300ms). This is allowed but not 
recommended.

Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-21 13:48 PST
Warning: Hostname google.com resolves to 3 IPs. Using 64.233.167.99.
Initiating Connect Scan at 13:48
Scanning 192.168.123.1 [1 port]
Discovered open port 80/tcp on 192.168.123.1
Completed Connect Scan at 13:48, 0.00s elapsed (1 total ports)
Initiating Service scan at 13:48
Scanning 1 service on 192.168.123.1
Completed Service scan at 13:49, 6.00s elapsed (1 service on 1 host)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 13:49
Completed SCRIPT ENGINE at 13:49, 0.00s elapsed
Host 192.168.123.1 appears to be up ... good.
Interesting ports on 192.168.123.1:
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.29 ((Unix) mod_ssl/2.8.16 OpenSSL/0.9.7g)
|_ HTML title: Site doesn't have a title.

[Since this box was on my local network, sV took almost
 exactly 6 seconds which left more than enough time to
 run the script]

[On to the second hostgroup...]

Initiating Connect Scan at 13:49
Scanning 64.233.167.99 [1 port]
Discovered open port 80/tcp on 64.233.167.99
Completed Connect Scan at 13:49, 0.08s elapsed (1 total ports)
Initiating Service scan at 13:49
Scanning 1 service on 64.233.167.99
Completed Service scan at 13:49, 6.27s elapsed (1 host timed out)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 13:49
Completed SCRIPT ENGINE at 13:49, 0.00s elapsed
Host 64.233.167.99 appears to be up ... good.
Skipping host 64.233.167.99 due to host timeout

[google.com is NOT on my local network though, so the version
 detection times the host out. When -sC is run, it times the
 host out immediately because its clock has run out]

Nmap done: 2 IP addresses (2 hosts up) scanned in 12.814 seconds






Here is another example:

[Running full script scan against google.com but it
 takes longer than 10s so is timed out]

$ ./nmap -v -n -sC google.com --host-timeout 10s -p 80
host-timeout is given in milliseconds, so you specified less than 15 seconds (10000ms). This is allowed but not 
recommended.

Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-21 14:02 PST
Warning: Hostname google.com resolves to 3 IPs. Using 64.233.167.99.
Initiating Ping Scan at 14:02
Scanning 64.233.167.99 [1 port]
Completed Ping Scan at 14:02, 0.08s elapsed (1 total hosts)
Initiating Connect Scan at 14:02
Scanning 64.233.167.99 [1 port]
Discovered open port 80/tcp on 64.233.167.99
Completed Connect Scan at 14:02, 0.09s elapsed (1 total ports)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 14:02
Completed SCRIPT ENGINE at 14:02, 10.21s elapsed
Host 64.233.167.99 appears to be up ... good.
Skipping host 64.233.167.99 due to host timeout

Read data files from: .
Nmap done: 1 IP address (1 host up) scanned in 10.568 seconds





The only thing I'm not sure about is if NSE will run through
process_mainloop() often enough to enforce really accurate
host timeouts. In any case, it seems to work as well as it
does in version detection.

Best,

Doug

Attachment: nmap-host-timeout-support-for-nse.patch
Description:

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]