-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nmap doesn't respect rtt-timeout? #2312
Comments
This is intended behavior. Nmap keeps a collection of previous probes around for a while in case they need to be retransmitted (e.g. if the number of retries permitted increases due to network degradation). If a response comes in for one of those, it is accepted, regardless of RTT. The round-trip timeout value is instructional for Nmap, telling it how much time to expect a probe/response to take, and can vary based on network conditions. Timing and performance options are to be used to tune whole scans, not dictate particular behavior on a single-probe basis. You may be more interested in using Nping or another packet crafting tool if you require that level of control over the timeout values. |
Describe the bug
When running a SYN scan nmap doesn't respect the current rtt-timeout value when max-retries is non-zero. Specifically, the current "running timeout value" rtt timeout can be exceeded, and nmap will still identify an open port.
Evidence
Using the nmap command:
sudo nmap -sS -T5 -p22 -Pn <host> -d3
Using this command we scan the test host, and the host is forced to delay its response so that it responds on average in ~470ms. Using -T5, the initial rtt timeout value is 250ms, so we expect that the scanner should fail to discover the open port. See below the output of running this test command:
Note the SENT/RCVD timings, and the current rtt timeouts above. The host takes 0.76s - 0.27s = 490ms to response, which exceeds the current rtt timeout value of 250000 = 250ms. The port is marked as open, not filtered in the output.
Expected behavior
Based on the timing options documentation, I expected nmap to stop listening for the response after the timeout was exceeded. Intsead, it appears that nmap continues to listen for the first packet even after the second packet (first retry) is sent. Is this expected behaviour?
Whilst this is usually not a bad thing (identifying an open port correctly is normally what a user is aiming to achieve), it does make fine-tuning of timing options difficult, since it appears that nmap can continue to identify an open port right up until the last retry has timed out. Max-retries usually defaults to 1 retry, except if the user has specified max-retries 0 or where nmap deems more retries necessary.
A reasonable use-case for nmap is to perform port scans as quickly as possible, whilst maintaining a reasonable degree of accuracy based on expected latency. If my evaluation of the current functionality is correct, then would it not be necessary to set the timing parameters to half of the targeted rtt, or to use max-retries 0 and accept the loss of accuracy if packets are lost?
Version info (please complete the following information):
nmap --version
:nmap --iflist
The text was updated successfully, but these errors were encountered: