Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: Extraports Bug?
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Sat, 14 May 2011 08:54:27 +0100

Thanks, that sounds plausible, I'll see if I can repeat it next week.
Although I didn't add it to the initial Nmap command, I think I pressed the
d key a few times during the scan to see what was going on (before
repeatedly pressing D to turn it off). I'm fairly sure it was back to the
equivalent of -d0 by the time the scan results were written to screen/files,
but I think I was increasing debugging during the NSE part of the scan, so
this might be why it happened.


-----Original Message-----
From: David Fifield [mailto:david () bamsoftware com] 
Sent: 13 May 2011 23:21
To: Rob Nicholls
Cc: Nmap dev
Subject: Re: Extraports Bug?

On Thu, May 12, 2011 at 05:28:26PM +0100, Rob Nicholls wrote:
I was going through some port scan results from a recent penetration 
test to try and identify why Kris' Ruby Nmap Parser was taking longer 
than usual to process a file and spotted that the output was mostly 
closed ports (in one example there were 30 open ports and no filtered 
ports). I was expecting to see the 65505 closed ports, for example, 
show up as an extraports entry in the XML file, but instead I had a 
line per port (an extra 65k lines per host made the Nmap and XML 
output files considerably larger than expected!).

A similar scan a matter of hours later against hosts on another subnet 
using the same 5.51 SVN version of Nmap returned:
Not shown: 65502 closed ports
Reason: 65502 resets

The command I used was:

nmap -vv --script "* and not *brute* and not broadcast and not *flood* 
and not *fuzz* and not *snoop* and not *http-enum*" -n -Pn --reason 
-p- -A -oA xxx_xxx_tcp_full_exclude_xxx -iL xxx.txt 
--defeat-rst-ratelimit --min-hostgroup 64 --exclude xxx.xxx.xxx.xxx

Does anyone have any idea why one set of files is normal (and small) 
and the other is (huge and) full of individual closed ports? The only 
obvious difference I can see is that I used --exclude on this bad 
scan; but that doesn't seem to have made any difference when I ran a 
quick test in the test lab (although the SVN version on a host in the 
lab is probably slightly older). I'll try and do some more testing to 
try and replicate the issue, but I was hoping someone else might have 
seen this "lack of extraports" bug before?

Could have been a difference in debugging level? I think that extraports is
replaced by individual script records with -d2.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]