Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

execution time increases with --exclude-port #1581

Open
anindyar opened this issue Apr 29, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@anindyar
Copy link

commented Apr 29, 2019

Hi,

I am trying to automate some scan by using the following command

nmap -iL ip.list -oG - -sT -Pn --exclude-ports 80,443

the same command without the --exclude-ports takes about 3 minutes for about 30 IPs. but the moment I include this with, the time increases to around 3 minutes per IP.

I am trying to understand the possible coz for the behavior and if there is a workaround for doing the same

Regards,
Roy

@dmiller-nmap

This comment has been minimized.

Copy link

commented Apr 29, 2019

Thanks for the report. Can you provide output of nmap --version?

One possibility is that some of your targets are heavily firewalled and only have ports 80 and 443 unblocked. In this case, Nmap will still scan the target because of -Pn, but it will have to do many retries of each probe and wait a long time for a response, since it has no idea how long a successful probe would take. Without --exclude-ports, it gets a response quickly from one of those ports and can then make a much better guess of when a no-reply means "filtered" and not "packet lost." You can test this by excluding a different 2 ports, such as --exclude-ports 99,100. If the scan goes much quicker, then this is the reason.

The other possibility is that --exclude-ports may be increasing the amount of work (either processing or memory) that is needed to scan the targets. This is almost certainly not the problem, since that would not result in such a large scan time increase, and I believe the exclude work is done prior to scanning and does not increase with respect to the number of targets. However, if this is the case, you can ask Nmap to give you the list of ports it would scan with --exclude-ports, and then use that directly with -p to give the same behavior, but without involving the code from the --exclude-ports feature:

nmap -v -oG - --exclude-ports 80,443 | awk -F '[;)]' '/Ports/{print $2}' > safe-ports.txt
nmap [normal options] -p $(cat safe-ports.txt)

If this does not fix the problem, then the problem is in the behavior of the target (like I first suggested) and not in the code involved with --exclude-ports.

@dmiller-nmap dmiller-nmap added the Nmap label Apr 29, 2019

@anindyar

This comment has been minimized.

Copy link
Author

commented Apr 29, 2019

awesome mate !! your trick worked. the test on 222 IPs that took 11.8 hours last time, worked in 15 minutes with the file with all ports except 80 and 443. really appreciate the quick response.

Regards,
Roy

@dmiller-nmap

This comment has been minimized.

Copy link

commented Apr 29, 2019

@anindyar Can you please be more specific so we can determine if there is a problem we can fix? What version of Nmap are you using? Which of the 2 workarounds did you try that worked? Thanks.

@anindyar

This comment has been minimized.

Copy link
Author

commented Apr 30, 2019

Sure,

and sorry for being too abrupt in my last response. got too excited as it worked.

I am on Nmap version 7.60. and all I did was generated a safe-ports file like you mentioned. but I actually excluded port 80 and 443 from it. and it just worked for me.

let me know if you want me to test anything else to determine what caused the issue. will be happy to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.