mailing list archives
RE: Extraports Bug?
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Sat, 14 May 2011 08:54:27 +0100
Thanks, that sounds plausible, I'll see if I can repeat it next week.
Although I didn't add it to the initial Nmap command, I think I pressed the
d key a few times during the scan to see what was going on (before
repeatedly pressing D to turn it off). I'm fairly sure it was back to the
equivalent of -d0 by the time the scan results were written to screen/files,
but I think I was increasing debugging during the NSE part of the scan, so
this might be why it happened.
From: David Fifield [mailto:david () bamsoftware com]
Sent: 13 May 2011 23:21
To: Rob Nicholls
Cc: Nmap dev
Subject: Re: Extraports Bug?
On Thu, May 12, 2011 at 05:28:26PM +0100, Rob Nicholls wrote:
I was going through some port scan results from a recent penetration
test to try and identify why Kris' Ruby Nmap Parser was taking longer
than usual to process a file and spotted that the output was mostly
closed ports (in one example there were 30 open ports and no filtered
ports). I was expecting to see the 65505 closed ports, for example,
show up as an extraports entry in the XML file, but instead I had a
line per port (an extra 65k lines per host made the Nmap and XML
output files considerably larger than expected!).
A similar scan a matter of hours later against hosts on another subnet
using the same 5.51 SVN version of Nmap returned:
Not shown: 65502 closed ports
Reason: 65502 resets
The command I used was:
nmap -vv --script "* and not *brute* and not broadcast and not *flood*
and not *fuzz* and not *snoop* and not *http-enum*" -n -Pn --reason
-p- -A -oA xxx_xxx_tcp_full_exclude_xxx -iL xxx.txt
--defeat-rst-ratelimit --min-hostgroup 64 --exclude xxx.xxx.xxx.xxx
Does anyone have any idea why one set of files is normal (and small)
and the other is (huge and) full of individual closed ports? The only
obvious difference I can see is that I used --exclude on this bad
scan; but that doesn't seem to have made any difference when I ran a
quick test in the test lab (although the SVN version on a host in the
lab is probably slightly older). I'll try and do some more testing to
try and replicate the issue, but I was hoping someone else might have
seen this "lack of extraports" bug before?
Could have been a difference in debugging level? I think that extraports is
replaced by individual script records with -d2.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/