Re: Urgent - Problem with nmap never finishing and hogging memory while using ssl-heartbleed.nse

[Daniel Miller <bonsaiviking () gmail com>]

Thanks for this report. We have fixed the problem in tls.lua in r32836

Dan


On Wed, Apr 16, 2014 at 2:51 PM, Landon Stewart <lstewart () iweb com> wrote:

> Hello,
>
> This report may contain sensitive information not for the public so I am
> opting to send this directly to you instead of to the mailing list.  I have
> CC'd jspenguin () jspenguin org since he's the original author of ssltest.py
> and it might have to do with the adaptation of that script to the
> ssl-heartbleed.nse script.  I don't know if he wrote the nse script though
> too.
>
> Basically when I start a scan certain hosts the scan causes nmap to hog RAM
> like crazy and then never actually completing properly.  I've tried using
> "--host_timeout 3m" but this is seemingly ignored while using "--script
> ...".  After the RAM is filled it starts using swap space. This is severely
> impacting the machine's RAM and causing scans to fail and take an insane
> amount of time.  The nmap process never finishes presumably until it runs
> out of RAM but no error is printed.
>
> Also - When using -oX for output to these scans the output is broken
> because the XML isn't completely written (missing the results of the scan
> and the </nmaprun> closing tag).  The XML can therefor not be parsed so
> mass scanning netblocks cannot be done reliably.
>
> During a the scan described in more detail below here is the 'top -b |
> head' output:
> # top -b | head
> top - 15:44:48 up 39 days, 19:39,  5 users,  load average: 2.16, 1.80, 1.18
> Tasks: 192 total,   3 running, 189 sleeping,   0 stopped,   0 zombie
> Cpu(s):  0.3%us,  0.7%sy,  0.0%ni, 98.3%id,  0.6%wa,  0.0%hi,  0.0%si,
>  0.0%st
> Mem:   5377252k total,  5356888k used,    20364k free,     1336k buffers
> Swap:  4194288k total,  2705568k used,  1488720k free,     5112k cached
>
>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>
>
>
>    98 root      20   0     0    0    0 R 100.0  0.0 120:55.14 kswapd0
>
>
>
> 27728 root      20   0 7220m 4.6g   76 R 100.0 89.0   7:57.82 nmap
>
>
>
> 27820 root      20   0 15032 1156  824 R 100.0  0.0   0:01.16 top
>
> *Attached Files:*
>
> *nmap-command_and_output.txt*
> - Shows the command used to perform the nmap scan and the output.
> - Command is:
> -- /usr/bin/nmap --host-timeout 3s -Pn -n --script ssl-heartbleed -p443
> 108.163.169.99 --packet-trace -v -v -v
>
> *108.163.169.99.pcap*
> - A packet capture taken with dump cap (-f 'host 108.163.169.99')
> - 16 packets
>
> *lsof-command_during_scan.txt*
> - Shows the output of 'lsof -Pnp 27728' which is the PID of nmap during the
> scan
>
> *process_list_output_10_every_10_seconds.txt*
> - Checked the process 10 times at 10 second intervals
> - Shows the memory usage growing and growing
> - Output of this command:
> -- for i in {1..10}; do ps auxww | egrep '(CPU|27728)' | grep -v grep ;
> sleep 10; done
>
> (( You have our permission to GO AHEAD and scan 108.163.169.99 if you need
> to replicate this ))
>
> --
> Landon Stewart :: lstewart () iweb com
> Lead Specialist, Abuse and Security Management
> Spécialiste principal, gestion des abus et sécurité
> http://iweb.com :: +1 (888) 909-4932
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/