On Tue, Jun 21, 2011 at 8:59 AM, Shinnok <[email protected]> wrote: > Hi Michael, > > I've managed to take a look at the service discrepancies issue you > experienced. I made a similar Windows setup just as yours in VMware and > tested ms-rdp 3389 and I can't reproduce your behavior. > > The strange thing in your case is that Nmap should at least print > "ms-term-serv" instead of "microsoft-rdp" if the "Microsoft Terminal > Service" doesn't get identified by -sV, in the SERVICE column of the > output. > > I'm going to need some more info from you in order to proceed with > further investigation: > > I need the exact Nmap line that you use to scan and confirmation that > you don't change that between scans.
nmap -sS -sV -p1-65535 -d2 -oX scan-current.xml -iL c:\nmap\include.txt --excludefile c:\nmap\exclude.txt > > I will also ask you, if you can, to try and catch a scan that does print > the wrong services or nothing at all with this nmap invocation: > > nmap -p3389 -PN -sV -vvvv -dddd --version-trace *your-host* > > And please attach the output to a reply e-mail. That output will at > least show us if indeed it is a timeout issue or something else. > At 8:00 this morning the scan reported the following; -3389/tcp open microsoft-rdp Microsoft Terminal Service +3389/tcp open ms-term-serv +21835/tcp open msrpc Microsoft Windows RPC -36710/tcp open msrpc Microsoft Windows RPC At 9:30 I performed the trace with the following results; ***WinIP*** trying to initialize WinPcap Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) NPF service is already running. Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-21 09:32 Central Daylight Time Fetchfile found C:\Program Files (x86)\Nmap\nmap-services The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found C:\Program Files (x86)\Nmap\nse_main.lua Fetchfile found C:\Program Files (x86)\Nmap\nselib/ Fetchfile found C:\Program Files (x86)\Nmap\scripts\script.db Fetchfile found C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\drda-info.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\iax2-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\netbus-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\pptp-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse Fetchfile found C:\Program Files (x86)\Nmap\scripts\wdb-version.nse NSE: Loaded 8 scripts for scanning. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\drda-info.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\iax2-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\jdwp-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\netbus-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\pptp-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\skypev2-version.nse'. NSE: Loaded 'C:\Program Files (x86)\Nmap\scripts\wdb-version.nse'. doing 0.0.0.0 = 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-payloads Initiating ARP Ping Scan at 09:32 Scanning 192.168.1.10 [1 port] Packet capture filter (device eth6): arp and arp[18:4] = 0x001E0BB1 and arp[22:2] = 0xB3E8 SENT (1.3450s) ARP who-has 192.168.1.10 tell 192.168.1.122 **TIMING STATS** (1.3450s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1 192.168.1.10: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1 Current sending rates: 8.77 packets / s, 368.42 bytes / s. Overall sending rates: 8.77 packets / s, 368.42 bytes / s. RCVD (1.3450s) ARP reply 192.168.1.10 is-at F4:CE:46:B8:81:60 Found 192.168.1.10 in incomplete hosts list. ultrascan_host_probe_update called for machine 192.168.1.10 state UNKNOWN -> HOST_UP (trynum 0 time: 0) Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar: 5000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 200000 delta 0 ==> srtt: 0 rttvar: 5000 to: 100000 Changing ping technique for 192.168.1.10 to ARP Moving 192.168.1.10 to completed hosts list with 0 outstanding probes. Changing global ping host to 192.168.1.10. Completed ARP Ping Scan at 09:32, 0.11s elapsed (1 total hosts) Overall sending rates: 8.77 packets / s, 368.42 bytes / s. pcap stats: 2 packets received by filter, 0 dropped by kernel. mass_rdns: Using DNS server 192.168.1.10 mass_rdns: Using DNS server 192.168.1.10 NSOCK (1.3470s) UDP connection requested to 192.168.1.10:53 (IOD #1) EID 8 NSOCK (1.3470s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms) EID 18 NSOCK (1.3500s) UDP connection requested to 192.168.1.10:53 (IOD #2) EID 24 NSOCK (1.3500s) Read request from IOD #2 [192.168.1.10:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution of 1 host. at 09:32 mass_rdns: TRANSMITTING for <192.168.1.10> (server <192.168.1.10>) NSOCK (1.3500s) Write request for 43 bytes to IOD #1 EID 43 [192.168.1.10:53]: Z............10.1.168.192.in-addr.arpa..... NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:53] NSOCK (1.3500s) Callback: CONNECT SUCCESS for EID 24 [192.168.1.10:53] NSOCK (1.3500s) Callback: WRITE SUCCESS for EID 43 [192.168.1.10:53] NSOCK (1.3510s) Callback: READ SUCCESS for EID 18 [192.168.1.10:53] (120 bytes) NSOCK (1.3510s) Read request from IOD #1 [192.168.1.10:53] (timeout: -1ms) EID 50 CAPACITY <192.168.1.10> = 12 mass_rdns: NXDOMAIN <id = 23288> mass_rdns: 0.01s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 09:32, 0.00s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 09:32 192.168.1.10 pingprobe type ARP is inappropriate for this scan type; resetting. Scanning 192.168.1.10 [1 port] Packet capture filter (device eth6): dst host 192.168.1.122 and (icmp or ((tcp or udp or sctp) and (src host 192.168.1.10))) SENT (1.3540s) TCP [192.168.1.122:47605 > 192.168.1.10:3389 S seq=86966497 ack=0 off=6 res=0 win=2048 csum=0x3F0F urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=14257 foff=0 ttl=53 proto=6 csum=0xca46] **TIMING STATS** (1.3540s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1 192.168.1.10: 1/0/0/1/0/0 10.00/75/0 100000/0/5000 Current sending rates: 333.33 packets / s, 14666.67 bytes / s. Overall sending rates: 333.33 packets / s, 14666.67 bytes / s. RCVD (1.3550s) TCP [192.168.1.10:3389 > 192.168.1.122:47605 SA seq=74024069 ack=86966498 off=6 res=0 win=8192 csum=0x9E0F urp=0 <mss 1460>] IP [ver=4 ihl=5 tos=0x00 iplen=44 id=6342 flg=D foff=0 ttl=128 proto=6 csum=0x5e31] Found 192.168.1.10 in incomplete hosts list. Discovered open port 3389/tcp on 192.168.1.10 Timeout vals: srtt: 0 rttvar: 5000 to: 100000 delta 1000 ==> srtt: 125 rttvar: 4000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1000 ==> srtt: 1000 rttvar: 5000 to: 100000 Changing ping technique for 192.168.1.10 to tcp to port 3389; flags: S Moving 192.168.1.10 to completed hosts list with 0 outstanding probes. Changing global ping host to 192.168.1.10. Completed SYN Stealth Scan at 09:32, 0.00s elapsed (1 total ports) Overall sending rates: 250.00 packets / s, 11000.00 bytes / s. pcap stats: 2 packets received by filter, 0 dropped by kernel. Fetchfile found C:\Program Files (x86)\Nmap\nmap-service-probes Initiating Service scan at 09:32 Scanning 1 service on 192.168.1.10 Starting probes against new service: 192.168.1.10:3389 (tcp) NSOCK (1.4300s) TCP connection requested to 192.168.1.10:3389 (IOD #1) EID 8 NSOCK (1.4310s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.10:3389] Service scan sending probe NULL to 192.168.1.10:3389 (tcp) NSOCK (1.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout: 6000ms) EID 18 NSOCK (7.4310s) Callback: READ TIMEOUT for EID 18 [192.168.1.10:3389] Service scan sending probe TerminalServer to 192.168.1.10:3389 (tcp) NSOCK (7.4310s) Write request for 11 bytes to IOD #1 EID 27 [ 192.168.1.10:3389]: ........... NSOCK (7.4310s) Read request from IOD #1 [192.168.1.10:3389] (timeout: 5000ms) EID 34 NSOCK (7.4310s) Callback: WRITE SUCCESS for EID 27 [192.168.1.10:3389] NSOCK (7.4310s) Callback: READ SUCCESS for EID 34 [(null):65535] (11 bytes): .........4. Service scan match (Probe TerminalServer matched with TerminalServer): 192.168.1.10:3389 is microsoft-rdp. Version: |Microsoft Terminal Service||| Completed Service scan at 09:32, 6.00s elapsed (1 service on 1 host) Starting RPC scan against 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-rpc NSE: Starting runlevel 1 (of 1) scan. Nmap scan report for 192.168.1.10 Fetchfile found C:\Program Files (x86)\Nmap\nmap-mac-prefixes Host is up, received arp-response (0.00013s latency). Scanned at 2011-06-21 09:32:29 Central Daylight Time for 6s PORT STATE SERVICE REASON VERSION 3389/tcp open microsoft-rdp syn-ack Microsoft Terminal Service MAC Address: F4:CE:46:B8:81:60 (Hewlett Packard) Service Info: OS: Windows Final times for host: srtt: 125 rttvar: 4000 to: 100000 Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads nmap-rpc nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.46 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) > > If you happen to stumble across a reproducible case in the process, > please send details of that too. > > > Thanks a bunch, > Shinnok > > On 06/06/2011 08:27 PM, Michael Lubinski wrote: > > Responded in-line below. This will also happen with the following > pairings > > below. Maybe the service probe timeout is on par? > > > > -88/tcp open kerberos-sec Microsoft Windows kerberos-sec > > +88/tcp open tcpwrapped > > > > -464/tcp open kpasswd5 > > +464/tcp open tcpwrapped > > > > -11099/tcp open apc-agent APC PowerChute agent > > +11099/tcp open unknown > > > > -11100/tcp open apc-agent APC PowerChute agent > > +11100/tcp open unknown > > > > -464/tcp open > > +464/tcp open tcpwrapped > > > > On Mon, Jun 6, 2011 at 7:41 AM, Shinnok <[email protected]> wrote: > > > >> On Mon, Jun 6, 2011 at 3:27 PM, Shinnok <[email protected]> wrote: > >>> Hi, > >>> > >>> Don't service probes have a certain timeout for the probe response? If > >>> so then big service latency could cause that exact mismatch also. > >>> > >>> Brief grepping revealed the following in service_scan.h: > >>> #define DEFAULT_SERVICEWAITMS 5000 > >>> Which should be enough imho, if that's the right timeout value. Does > >>> that value get dynamically adjusted along the scan? > >>> > >>> Another reason could be that some services have resuming state > >>> capabilities or don't recover that well upon sudden termination of a > >>> connection, which means that the subsequent timely scans would get > >>> unexpected results for the service probes. > >>> > >> > >> As you probably noticed, my comment assumes that there is nothing > >> wrong with the service code, however, given a reproducible case that I > >> can poke at, I am glad to take a look at the issue. > >> For eg, for the microsoft-rdp case I would need Windows Version, > >> > > > > Server 2008 R2 Enterprise > > > > > >> Service Pack version, MSRDP client version, > > > > > > RDP Ver 6.1.7600 > > > > > >> Nmap version and on which > >> subsequent scan does Nmap stop reporting the Service for the port(the > >> last requirement must be somewhat reproducible). > >> > > > > Nmap 5.5.1 > > > >> > >> Thanks, > >> > >> -- > >> > >> Shinnok <http://shinnok.com> > >> > > > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
