Describe the bug and expected behavior
When I run nmap with -sT flag, it hangs. It may only occur with the -p-
option. Looking in wireshark, I see it making connections to the same port over and over again. The port seems to change on each run, but always an open port. I've tried on multiple hosts, both windows and linux targets.
To Reproduce
Steps to reproduce the behavior:
- open cmder
- open wireshark and start capture on appropriate interface
- run
nmap -sT -p- --min-rate 10000 [ip with a couple ports open]
- look at statistics -> conversations in wireshark and see one port getting connected to over and over.
Example
Without -sT
, finishes all ports in 32 seconds. With it, it's 2.5 minutes in, with 2.5 hours remaining.
Z:\+
λ nmap -p- --min-rate 10000 10.10.10.131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:11 GMT Daylight Time
Warning: 10.10.10.131 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.131
Host is up (0.064s latency).
Not shown: 64681 closed ports, 850 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 32.12 seconds
Z:\+
λ nmap -sT -p- --min-rate 10000 10.10.10.131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:12 GMT Daylight Time
Stats: 0:02:24 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.58% done; ETC: 00:43 (2:28:54 remaining)
If I look in wireshark, I have about 100 conversations with port 21 already (Linux target).
Second target, Windows host:
Z:\+
λ nmap -p- --min-rate 10000 10.10.10.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:18 GMT Daylight Time
Nmap scan report for 10.10.10.132
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
8080/tcp open http-proxy
49667/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 14.00 seconds
Z:\+
λ nmap -sT -p- --min-rate 10000 10.10.10.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:18 GMT Daylight Time
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.73% done; ETC: 23:06 (0:46:27 remaining)
Wireshark shows this one gets stuck on 8080 (managed engine servicedesk plus).
Third example, edge router x in local network:
Z:\+
λ nmap -p- --min-rate 10000 10.1.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:20 GMT Daylight Time
Nmap scan report for 10.1.1.1
Host is up (0.00s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
10001/tcp open scp-config
MAC Address: 80:2A:A8:DE:99:EF (Ubiquiti Networks)
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
Z:\+
λ nmap -sT -p- --min-rate 10000 10.1.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 22:20 GMT Daylight Time
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.39% done; ETC: 23:07 (0:46:13 remaining)
Repeated scans to 443, https.
Version
Additional context
First two hosts are over VPN to Hackthebox.eu targets. Third example is in local network.