Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE: Packet retransmit breaking rdp-ntlm-info #1682

TomSellers opened this issue Aug 10, 2019 · 0 comments


Copy link

commented Aug 10, 2019

I've seen some reports, which I was able to reproduce, that rdp-ntlm-info didn't work against Windows 7. While testing I noticed that some of the packets were being sent twice which was breaking the protocol negotiation. This seems to happen when scanning with -sS but not -sT.

This appears to be an issue with Nmap or NSE and how raw packets are handled.

You can observe the retransmission using Wireshark / tcpdump.

Reproduce error

sudo nmap -sS --script rdp-ntlm-info -p 3389  -n   target_ip


sudo nmap -sT --script rdp-ntlm-info -p 3389  -n   target_ip

When running with --packet-trace I only see Nmap send the packet once (in the output) in either case.

If you view the traffic with Wireshark you can see that it is re-transmitted.

Packet 15 is the original, packet 16 is the retransmission.

I was able to create a simple reproducer which removes the protocol from the equation.


sudo nmap -sS --script +test -p 3389 target_ip


local nmap = require "nmap"
local stdnse = require "stdnse"
local shortport = require "shortport"

categories = {"safe"}

portrule = shortport.port_or_service("3389", "ms-wbt-server")

action = function( host, port )

  socket = nmap.new_socket()
  if ( not(socket:connect(host, port)) ) then
    return false, "Failed connecting to server"

  local status, err = socket:send("If a packet hits a pocket on a socket on a port..")
  if ( not(status) ) then
    return false, err

  stdnse.debug1("Sent, now waiting...")
  _, data = socket:receive()

  return data


$ nmap --version
Nmap version 7.70SVN ( )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
Linux sammich 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.