Re: [Bug Report] Host order becoming important when using r00t

[Jacek Wielemborek <d33tah () gmail com>]

27.07.2014 17:51, Jay Bosamiya:
> Hi All!
>
> Just noticed this bug when testing: host order becomes important when
> using root.
>
> To reproduce the bug: try running "sudo nmap scanme.nmap.org localhost
> -sn" and "sudo nmap localhost scanme.nmap.org -sn".
>
> Logically, both should give the same result (except for ordering of
> hosts in output). However, the first command works perfectly (shows both
> hosts up), and the second commands takes a lot of time followed by
> showing scanme.nmap.org as down.
>
> For reference, the output for both commands with -d9 is at [1] and [2].
> (Run with latest svn trunk).
>
> Seems like the problem lies in some probes getting no response (in the
> second ordering).
>
> Another interesting thing is that this problem comes up only when
> running as root (either through sudo, or through root directly).
>
> I haven't tried tracing this bug since I'm currently working on the
> --ignore-after option.
>
> If anyone figures out why this happens or wants to take this up, you're
> welcome to work on it. :)
>
> Cheers,
> Jay
>
> Links:
> [1] http://pastebin.com/fP9xW4iw
> [2] http://pastebin.com/1HUr8whT
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

I confirm the bug. Here's a log I already sent to Jay before:

> $ sudo ./nmap localhost scanme.nmap.org -sn -d9
>
> Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-27 16:34 CEST
> The max # of sockets we are using is: 0
> --------------- Timing report ---------------
>   hostgroups: min 1, max 100000
>   rtt-timeouts: init 1000, min 100, max 10000
>   max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
>   parallelism: min 0, max 0
>   max-retries: 10, host-timeout: 0
>   min-rate: 0, max-rate: 0
> ---------------------------------------------
> Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
> mass_rdns: Using DNS server 217.113.224.35
> mass_rdns: Using DNS server 217.113.224.134
> Nmap scan report for localhost (127.0.0.1)
> Host is up, received localhost-response TTL 0.
> Other addresses for localhost (not scanned): 127.0.0.1
> Fetchfile found /mnt/sda/d33tah/workspace/nmap/nmap/nmap-payloads
> Initiating Ping Scan at 16:34
> Scanning scanme.nmap.org (74.207.244.221) [4 ports]
> Packet capture filter (device p5p1): dst host 172.16.1.2 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 
> 74.207.244.221)))
> SENT (0.0234s) ICMP [127.0.0.1 > 74.207.244.221 Echo request (type=8/code=0) id=65360 seq=0] IP [ver=4 ihl=5 tos=0x00 
> iplen=28 id=45145 foff=0 ttl=46 proto=1 csum=0x1dda]
> SENT (0.0235s) TCP [127.0.0.1:62654 > 74.207.244.221:443 S seq=3869651658 ack=0 off=6 res=0 win=1024 csum=0xC58D 
> urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=47696 foff=0 ttl=50 proto=6 csum=0x0fce]
> SENT (0.0236s) TCP [127.0.0.1:62654 > 74.207.244.221:80 A seq=0 ack=3869651658 off=5 res=0 win=1024 csum=0xDEA6 
> urp=0] IP [ver=4 ihl=5 tos=0x00 iplen=40 id=32009 foff=0 ttl=46 proto=6 csum=0x5119]
> SENT (0.0236s) ICMP [127.0.0.1 > 74.207.244.221 Timestamp request (type=13/code=0) id=53271 seq=0 orig=0 recv=0 
> trans=0] IP [ver=4 ihl=5 tos=0x00 iplen=40 id=63721 foff=0 ttl=47 proto=1 csum=0xd43d]
> **TIMING STATS** (0.0237s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
>    Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
>    74.207.244.221: 4/0/0/4/0/0 10.00/75/0 1000000/-1/-1
> Current sending rates: 323.60 packets / s, 12296.74 bytes / s.
> Overall sending rates: 323.60 packets / s, 12296.74 bytes / s.
> **TIMING STATS** (1.0245s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
>    Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 1000000/-1/-1
>    74.207.244.221: 0/0/0/4/4/0 10.00/75/0 1000000/-1/-1
> Current sending rates: 3.95 packets / s, 150.03 bytes / s.
> Overall sending rates: 3.95 packets / s, 150.03 bytes / s.
> SENT (2.0255s) ICMP [127.0.0.1 > 74.207.244.221 Timestamp request (type=13/code=0) id=14658 seq=0 orig=0 recv=0 
> trans=0] IP [ver=4 ihl=5 tos=0x00 iplen=40 id=7781 foff=0 ttl=44 proto=1 csum=0xb1c2]
> SENT (2.0256s) TCP [127.0.0.1:62655 > 74.207.244.221:80 A seq=0 ack=3869717195 off=5 res=0 win=1024 csum=0xDEA3 
> urp=0] IP [ver=4 ihl=5 tos=0x00 iplen=40 id=35556 foff=0 ttl=51 proto=6 csum=0x3e3e]
> SENT (2.0257s) TCP [127.0.0.1:62655 > 74.207.244.221:443 S seq=3869717195 ack=0 off=6 res=0 win=1024 csum=0xC58A 
> urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=12621 foff=0 ttl=54 proto=6 csum=0x94d1]
> SENT (2.0257s) ICMP [127.0.0.1 > 74.207.244.221 Echo request (type=8/code=0) id=18027 seq=0] IP [ver=4 ihl=5 tos=0x00 
> iplen=28 id=59499 foff=0 ttl=44 proto=1 csum=0xe7c7]
> **TIMING STATS** (2.0257s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
>    Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
>    74.207.244.221: 4/0/0/8/0/0 10.00/75/0 1000000/-1/-1
> Current sending rates: 3.97 packets / s, 150.91 bytes / s.
> Overall sending rates: 3.97 packets / s, 150.91 bytes / s.
> **TIMING STATS** (3.0265s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
> cwnd/ssthresh/delay, timeout/srtt/rttvar/
>    Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 1000000/-1/-1
>    74.207.244.221: 0/0/0/8/4/0 10.00/75/0 1000000/-1/-1
> Current sending rates: 2.65 packets / s, 100.82 bytes / s.
> Overall sending rates: 2.65 packets / s, 100.82 bytes / s.
> ultrascan_host_probe_update called for machine 74.207.244.221 state UNKNOWN -> HOST_DOWN (trynum 1 time: 1003158)
> ultrascan_host_probe_update called for machine 74.207.244.221 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 1003066)
> ultrascan_host_probe_update called for machine 74.207.244.221 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 1003018)
> ultrascan_host_probe_update called for machine 74.207.244.221 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 1002965)
> Moving 74.207.244.221 to completed hosts list with 4 outstanding probes.
> * icmp type 8 code 0
> * tcp to port 443; flags: S
> * tcp to port 80; flags: A
> * icmp type 13 code 0
> Completed Ping Scan at 16:34, 3.02s elapsed (1 total hosts)
> Overall sending rates: 2.65 packets / s, 100.75 bytes / s.
> pcap stats: 0 packets received by filter, 0 dropped by kernel.
> Nmap scan report for scanme.nmap.org (74.207.244.221) [host down, received no-response]
> Read from /mnt/sda/d33tah/workspace/nmap/nmap: nmap-payloads.
> Nmap done: 2 IP addresses (1 host up) scanned in 3.04 seconds
>            Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

Note that Wireshark says that these probes got a response.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/