Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect results when scanning a single port on multiple hosts #1508

Open
ebarrere opened this Issue Mar 8, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@ebarrere
Copy link

ebarrere commented Mar 8, 2019

See nmap output below. The port is in fact open, as indicated by the first scan against the single host (and nc), but it is incorrectly reported as filtered in the second scan.

$ nmap -Pn -p80 HOST2 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-07 16:55 MST
Nmap scan report for HOST2 (10.15.10.30)
Host is up (0.22s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

$ nc -z HOST2 80
Connection to HOST2 port 80 [tcp/http] succeeded!
$ nmap -Pn -p80 HOST1 HOST2 HOST3 HOST4 | awk '/scan report for HOST2/,/80\/tcp/'
Nmap scan report for HOST2 (10.15.10.30)
Host is up.

PORT   STATE    SERVICE
80/tcp filtered http

$ nmap -v
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-07 17:01 MST

Wireshark output shows that during the multi-host scan two SYN packets are sent almost simultaneously, while in the single host scan there are two subsequent TCP threeway handshakes. I can upload the Wireshark capture if it's helpful, or provide any other necessary details.

@djcater

This comment has been minimized.

Copy link

djcater commented Mar 9, 2019

To help someone look into it, I would:

  • Post the output of nmap -V (uppercase V)
  • Say whether or not the commands were run as a high-privilege user (e.g. root)
  • Run the commands with -vvv to get more useful output
@ebarrere

This comment has been minimized.

Copy link
Author

ebarrere commented Mar 12, 2019

  • Post the output of nmap -V (uppercase V)
$ nmap -V
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-apple-darwin18.0.0
Compiled with: liblua-5.3.3 openssl-1.0.2p nmap-libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select
  • Say whether or not the commands were run as a high-privilege user (e.g. root)

This was originally run as a standard user, but I have now tried it with sudo and I appear to get the correct output, indicating it's an issue with privilege.

Correct output from -vvv (when run with privilege):

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 58
  • Run the commands with -vvv to get more useful output

Hmm, I thought I had tried this before but I guess I did it wrong. Here is the output:

$ nmap -vvv -Pn -p80 HOST1 HOST2 HOST3 HOST4 | awk '/scan report for HOST2/,/80\/tcp/'
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set.
rDNS record for 10.15.10.30: <REDACTED (BUT CORRECT)>
Scanned at 2019-03-12 13:11:06 MDT for 0s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response
@ebarrere

This comment has been minimized.

Copy link
Author

ebarrere commented Mar 12, 2019

FWIW, when running without -Pn set the host is shown as down:

Nmap scan report for HOST2 (10.15.10.30) [host down, received no-response]
@bka-dev

This comment has been minimized.

Copy link

bka-dev commented Mar 14, 2019

Is there some kind of gateway between you and the hosts? There might be some rate-limiting in place, once you start scanning multiple hosts,
But to figure this out, could you try the following commands?

sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST1 HOST2 HOST3 HOST4
sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST2 HOST1 HOST3 HOST4
sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST1 HOST2 HOST3 HOST4
sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST2 HOST1 HOST3 HOST4

Please note, that for scan 2) and 4) above, I changed the ordering of the hosts, so that HOST2 is the first one to be scanned.

@ebarrere

This comment has been minimized.

Copy link
Author

ebarrere commented Mar 15, 2019

I am running the scans through a remote access VPN, but I don't believe it does any rate limiting. I will verify, and maybe try running on-site to remove the middle-man.

+ sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST1 HOST2 HOST3 HOST4
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 07:46 MDT
Initiating SYN Stealth Scan at 07:46
Scanning HOST1 (10.15.10.175) [1 port]
Completed SYN Stealth Scan at 07:46, 2.02s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 07:46:54 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:46
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:46, 0.23s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.22s latency).
Scanned at 2019-03-15 07:46:56 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 58

Initiating SYN Stealth Scan at 07:46
Scanning HOST3 (192.168.0.41) [1 port]
Completed SYN Stealth Scan at 07:46, 2.03s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 07:46:56 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:46
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:46, 0.05s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.043s latency).
Scanned at 2019-03-15 07:46:58 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 57

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 4.48 seconds
           Raw packets sent: 6 (264B) | Rcvd: 2 (88B)
+ sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST2 HOST1 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 07:46 MDT
Initiating SYN Stealth Scan at 07:46
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:46, 0.23s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.22s latency).
Scanned at 2019-03-15 07:46:58 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 58

Initiating SYN Stealth Scan at 07:46
Scanning HOST1 (10.15.10.175) [1 port]
Completed SYN Stealth Scan at 07:47, 2.02s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 07:46:58 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST3 (192.168.0.41) [1 port]
Completed SYN Stealth Scan at 07:47, 2.02s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 07:47:00 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:47, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.040s latency).
Scanned at 2019-03-15 07:47:02 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 57

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 4.37 seconds
           Raw packets sent: 6 (264B) | Rcvd: 2 (88B)
+ sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST1 HOST2 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 07:47 MDT
Initiating SYN Stealth Scan at 07:47
Scanning HOST1 (10.15.10.175) [1 port]
Warning: 10.15.10.175 giving up on port because retransmission cap hit (0).
Completed SYN Stealth Scan at 07:47, 1.02s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 07:47:03 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:47, 0.23s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.21s latency).
Scanned at 2019-03-15 07:47:04 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 58

Initiating SYN Stealth Scan at 07:47
Scanning HOST3 (192.168.0.41) [1 port]
Warning: 192.168.0.41 giving up on port because retransmission cap hit (0).
Completed SYN Stealth Scan at 07:47, 1.01s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 07:47:04 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:47, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.039s latency).
Scanned at 2019-03-15 07:47:05 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 57

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 2.38 seconds
           Raw packets sent: 4 (176B) | Rcvd: 2 (88B)
+ sudo nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST2 HOST1 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 07:47 MDT
Initiating SYN Stealth Scan at 07:47
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:47, 0.22s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.21s latency).
Scanned at 2019-03-15 07:47:05 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 58

Initiating SYN Stealth Scan at 07:47
Scanning HOST1 (10.15.10.175) [1 port]
Warning: 10.15.10.175 giving up on port because retransmission cap hit (0).
Completed SYN Stealth Scan at 07:47, 1.02s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 07:47:05 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST3 (192.168.0.41) [1 port]
Warning: 192.168.0.41 giving up on port because retransmission cap hit (0).
Completed SYN Stealth Scan at 07:47, 1.01s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 07:47:06 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating SYN Stealth Scan at 07:47
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed SYN Stealth Scan at 07:47, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.040s latency).
Scanned at 2019-03-15 07:47:07 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 57

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 2.36 seconds
           Raw packets sent: 4 (176B) | Rcvd: 2 (88B)

For the record, HOST1 and HOST3 are actually filtered, the other two are open, so the output above is correct.

Also, the issue didn't occur previously when running with sudo, so I've also run it non-privileged for an apples to apples comparison (output below is also correct).

+ nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST1 HOST2 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 08:06 MDT
Initiating Connect Scan at 08:06
Scanning HOST1 (10.15.10.175) [1 port]
Completed Connect Scan at 08:06, 2.00s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:39 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.22s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.22s latency).
Scanned at 2019-03-15 08:06:41 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Initiating Connect Scan at 08:06
Scanning HOST3 (192.168.0.41) [1 port]
Completed Connect Scan at 08:06, 2.01s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:41 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.041s latency).
Scanned at 2019-03-15 08:06:43 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 4.31 seconds
+ nmap -vvv -n -Pn -p80 --max-hostgroup 1 HOST2 HOST1 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 08:06 MDT
Initiating Connect Scan at 08:06
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.22s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.22s latency).
Scanned at 2019-03-15 08:06:43 MDT for 1s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Initiating Connect Scan at 08:06
Scanning HOST1 (10.15.10.175) [1 port]
Completed Connect Scan at 08:06, 2.00s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:44 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST3 (192.168.0.41) [1 port]
Completed Connect Scan at 08:06, 2.00s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:46 MDT for 2s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.041s latency).
Scanned at 2019-03-15 08:06:48 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 4.32 seconds
+ nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST1 HOST2 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 08:06 MDT
Initiating Connect Scan at 08:06
Scanning HOST1 (10.15.10.175) [1 port]
Warning: 10.15.10.175 giving up on port because retransmission cap hit (0).
Completed Connect Scan at 08:06, 1.00s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:48 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.31s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.31s latency).
Scanned at 2019-03-15 08:06:49 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Initiating Connect Scan at 08:06
Scanning HOST3 (192.168.0.41) [1 port]
Warning: 192.168.0.41 giving up on port because retransmission cap hit (0).
Completed Connect Scan at 08:06, 1.00s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:49 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.039s latency).
Scanned at 2019-03-15 08:06:50 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 2.41 seconds
+ nmap -vvv -n -Pn -p80 --max-hostgroup 1 --max-retries 0 HOST2 HOST1 HOST3 HOST4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-15 08:06 MDT
Initiating Connect Scan at 08:06
Scanning HOST2 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.38s elapsed (1 total ports)
Nmap scan report for HOST2 (10.15.10.30)
Host is up, received user-set (0.38s latency).
Scanned at 2019-03-15 08:06:50 MDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Initiating Connect Scan at 08:06
Scanning HOST1 (10.15.10.175) [1 port]
Warning: 10.15.10.175 giving up on port because retransmission cap hit (0).
Completed Connect Scan at 08:06, 1.00s elapsed (1 total ports)
Nmap scan report for HOST1 (10.15.10.175)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:50 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST3 (192.168.0.41) [1 port]
Warning: 192.168.0.41 giving up on port because retransmission cap hit (0).
Completed Connect Scan at 08:06, 1.00s elapsed (1 total ports)
Nmap scan report for HOST3 (192.168.0.41)
Host is up, received user-set.
Scanned at 2019-03-15 08:06:51 MDT for 1s

PORT   STATE    SERVICE REASON
80/tcp filtered http    no-response

Initiating Connect Scan at 08:06
Scanning HOST4 (10.15.10.30) [1 port]
Discovered open port 80/tcp on 10.15.10.30
Completed Connect Scan at 08:06, 0.04s elapsed (1 total ports)
Nmap scan report for HOST4 (10.15.10.30)
Host is up, received user-set (0.039s latency).
Scanned at 2019-03-15 08:06:52 MDT for 1s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 4 IP addresses (4 hosts up) scanned in 2.47 seconds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.