Nmap loops with "Unable to find listening socket in get_rpc_results" error [2]

Hello,

I still suffer from the problem described two weeks ago on this list
(see http://seclists.org/nmap-dev/2009/q4/24).

Looking more closely at the code (get_rpc_results() from nmap_rpc.cc),
I noticed a strange asymmetry:

 if (udp_rpc_socket >= 0 && rsi->rpc_current_port->proto == IPPROTO_UDP) {
   FD_SET(udp_rpc_socket, &fds_r);
   max_sd = udp_rpc_socket;
 }
 else if (tcp_rpc_socket >= 0 && rsi->rpc_current_port->proto == IPPROTO_TCP) {
   FD_SET(tcp_rpc_socket, &fds_r);
   if (tcp_rpc_socket > max_sd)
     max_sd = tcp_rpc_socket;
 } else {
   error("Unable to find listening socket in %s", __func__);
   return;
 }

Why not having "if (udp_rpc_socket > max_sd) max_sd = udp_rpc_socket;"?

Anyway, this does not seem to be linked to my problem...

When Nmap loops, get_rpc_results() is called with:
 - udp_rpc_socket = -1
 - tcp_rpc_socket = 4
 - rsi->rpc_current_port->proto = IPPROTO_UDP

Any idea on what could cause this mismatch?

Cheers,

Lionel
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Mon, Oct 19, 2009 at 04:37:39PM +0200, Lionel Cons wrote:
> Hello,
>
> I still suffer from the problem described two weeks ago on this list
> (see http://seclists.org/nmap-dev/2009/q4/24).

Hi Lionel.  Thanks for the report.  I have a few questions:

o Does this happen pretty much every time you scan the target machine,
  or is it intermittent.

o The command you noted is:

  nmap -O -sS -sU -sR -sV --version-intensity 8 --host-timeout 2h -p
  T:1-65535,U:53,69,111,123,137-139,161,177,445,623,1434,1900,7000-7009
  <victim-ip>

Can you try to reduce that step by step until you can find the minimal
command which still reproduces the problem?  Reduction steps include:
 o Remove -sU
 o Do a plain port scan and see what ports are open.  Try with just
   those ports, then reduce one by one and maybe you can find just one
   port which is causing this.
 o Remove extra parameters like -O and --version-intensity and -sR one
   until you find the smallest set needed to reproduce the problem.
 o Once you have your minimum command, please try with -d5 and send me
  the output.
 o Only one system does this to you?  Is it on the Internet where I
   can scan it, or an internal system?  What do you get from "rpcinfo -p
   <target>" and "nmap -p- -A -T4 <target>"?

Thanks,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Fyodor writes:
 > o Does this happen pretty much every time you scan the target machine,
 >   or is it intermittent.

I found at least one machine where I can always reproduce the problem.

 > Can you try to reduce that step by step until you can find the minimal
 > command which still reproduces the problem?

Done. Here is the minimal set:

# nmap -sS -sU -sR -p T:55491,U:111 <victim>

 >  o Only one system does this to you?  Is it on the Internet where I
 >    can scan it, or an internal system?  What do you get from "rpcinfo -p
 >    <target>" and "nmap -p- -A -T4 <target>"?

This system is not reachable from the Internet. Here are the requested
outputs.

Cheers,

Lionel


   program vers proto   port
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32772  status
    100024    1   tcp  32771  status
    100133    1   udp  32772
    100133    1   tcp  32771
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100005    1   udp  32778  mountd
    100005    2   udp  32778  mountd
    100005    3   udp  32778  mountd
    100005    1   tcp  32776  mountd
    100005    2   tcp  32776  mountd
    100005    3   tcp  32776  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100026    1   udp  32779  bootparam
    100026    1   tcp  32777  bootparam
1289637086    5   tcp  55491
1289637086    1   tcp  55491


Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 09:44 CET
Nmap scan report for victim (1.2.3.4)
Host is up (0.00056s latency).
Not shown: 65507 closed ports
PORT      STATE    SERVICE          VERSION
111/tcp   open     rpcbind
|  rpcinfo:  
|  100000      2,3,4      111/udp  rpcbind      
|  100003      2,3       2049/udp  nfs          
|  100227      2,3       2049/udp  nfs_acl      
|  100021      1,2,3,4   4045/udp  nlockmgr    
|  100024      1        32772/udp  status      
|  100133      1        32772/udp  nsm_addrand  
|  100005      1,2,3    32778/udp  mountd      
|  100026      1        32779/udp  bootparam    
|  100000      2,3,4      111/tcp  rpcbind      
|  100003      2,3       2049/tcp  nfs          
|  100227      2,3       2049/tcp  nfs_acl      
|  100021      1,2,3,4   4045/tcp  nlockmgr    
|  100024      1        32771/tcp  status      
|  100133      1        32771/tcp  nsm_addrand  
|  100005      1,2,3    32776/tcp  mountd      
|  100026      1        32777/tcp  bootparam    
|_ 1289637086  1,5      55491/tcp  dtcm        
512/tcp   open     exec
513/tcp   open     login
514/tcp   open     tcpwrapped
515/tcp   open     printer          Solaris lpd
601/tcp   open     unknown
2049/tcp  open     rpcbind
3363/tcp  open     tcpwrapped
4045/tcp  open     rpcbind
5252/tcp  filtered unknown
6000/tcp  open     X11              XSun Solaris X11 server
7100/tcp  open     font-service     Sun Solaris fs.auto
8181/tcp  filtered unknown
32771/tcp open     rpcbind
32774/tcp open     sometimes-rpc11?
32776/tcp open     rpcbind
32777/tcp open     rpcbind
55491/tcp open     rpcbind
Device type: general purpose
Running: Sun Solaris 8
OS details: Sun Solaris 8 (SPARC)
Network Distance: 6 hops
Service Info: OSs: Solaris, Unix

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 488.11 seconds

# nmap -d5 -sS -sU -sR -p T:55491,U:111 1.2.3.4

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 16:50 CET
Fetchfile found /usr/share/nmap/nmap-services
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
doing 0.0.0.0 = 1.2.3.4
Initiating Ping Scan at 16:50
Scanning 1.2.3.4 [4 ports]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 echo request (type=8/code=0) ttl=45 id=63008 iplen=28
SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:443 S ttl=48 id=20758 iplen=44  seq=331117183 win=1024 <mss 1460>
SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:80 A ttl=40 id=13463 iplen=40  seq=0 win=1024 ack=331117183
SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 Timestamp request (type=13/code=0) ttl=50 id=40714 iplen=40
**TIMING STATS** (0.0470s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 4/0/0/4/0/0 10.00/75/0 1000000/-1/-1
Current sending rates: 1093.49 packets / s, 41552.76 bytes / s.
Overall sending rates: 1093.49 packets / s, 41552.76 bytes / s.
RCVD (0.0480s) ICMP 1.2.3.4 > 1.2.3.1 echo reply (type=0/code=0) ttl=250 id=53510 iplen=28
Found 1.2.3.4 in incomplete hosts list.
We got a ping packet back from 1.2.3.4: id = 14049 seq = 0 checksum = 51486
ultrascan_host_probe_update called for machine 1.2.3.4 state UNKNOWN -> HOST_UP (trynum 0 time: 1169)
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000
Changing ping technique for 1.2.3.4 to icmp type 8 code 0
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed Ping Scan at 16:50, 0.00s elapsed (1 total hosts)
Overall sending rates: 839.63 packets / s, 31905.96 bytes / s.
pcap stats: 3 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server 1.2.5.1
mass_rdns: Using DNS server 1.2.5.2
NSOCK (0.0520s) UDP connection requested to 1.2.5.2:53 (IOD #1) EID 8
NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 18
NSOCK (0.0520s) UDP connection requested to 1.2.5.1:53 (IOD #2) EID 24
NSOCK (0.0520s) Read request from IOD #2 [1.2.5.1:53] (timeout: -1ms) EID 34
Initiating Parallel DNS resolution of 1 host. at 16:50
mass_rdns: TRANSMITTING for <1.2.3.4> (server <1.2.5.2>)
NSOCK (0.0520s) Write request for 46 bytes to IOD #1 EID 43 [1.2.5.2:53]: .............108.237.138.137.in-addr.arpa.....
NSOCK (0.0520s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 8 [1.2.5.2:53]
NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 24 [1.2.5.1:53]
NSOCK (0.0520s) Callback: WRITE SUCCESS for EID 43 [1.2.5.2:53]
NSOCK (0.0520s) Callback: READ SUCCESS for EID 18 [1.2.5.2:53] (154 bytes)
NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 50
CAPACITY <1.2.5.2> = 12
mass_rdns: OK MATCHED <1.2.3.4> to <victim>
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:50, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:50
1.2.3.4 pingprobe type ICMP is inappropriate for this scan type; resetting.
Scanning victim (1.2.3.4) [1 port]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0580s) TCP 1.2.3.1:56346 > 1.2.3.4:55491 S ttl=56 id=902 iplen=44  seq=737339205 win=1024 <mss 1460>
**TIMING STATS** (0.0580s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1106/5000
Current sending rates: 192.38 packets / s, 8464.79 bytes / s.
Overall sending rates: 192.38 packets / s, 8464.79 bytes / s.
RCVD (0.0580s) TCP 1.2.3.4:55491 > 1.2.3.1:56346 SA ttl=59 id=53514 iplen=44  seq=3281484125 win=24820 ack=737339206 <mss 1460>
Found 1.2.3.4 in incomplete hosts list.
Discovered open port 55491/tcp on 1.2.3.4
Timeout vals: srtt: 1106 rttvar: 5000 to: 100000 delta -583 ==> srtt: 1033 rttvar: 3895 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 523 ==> srtt: 523 rttvar: 5000 to: 100000
Changing ping technique for 1.2.3.4 to tcp to port 55491; flags: S
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed SYN Stealth Scan at 16:50, 0.01s elapsed (1 total ports)
Overall sending rates: 179.34 packets / s, 7890.96 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
Initiating UDP Scan at 16:50
Scanning victim (1.2.3.4) [1 port]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0640s) UDP 1.2.3.1:56346 > 1.2.3.4:111 ttl=42 id=24934 iplen=68
**TIMING STATS** (0.0640s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1033/3895
Current sending rates: 308.74 packets / s, 20994.13 bytes / s.
Overall sending rates: 308.74 packets / s, 20994.13 bytes / s.
RCVD (0.0650s) UDP 1.2.3.4:111 > 1.2.3.1:56346 ttl=250 id=53515 iplen=60
Found 1.2.3.4 in incomplete hosts list.
Discovered open port 111/udp on 1.2.3.4
Timeout vals: srtt: 1033 rttvar: 3895 to: 100000 delta 64 ==> srtt: 1041 rttvar: 2937 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1097 ==> srtt: 1097 rttvar: 5000 to: 100000
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed UDP Scan at 16:50, 0.00s elapsed (1 total ports)
Overall sending rates: 228.99 packets / s, 15571.33 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
Starting RPC scan against victim (1.2.3.4)
Fetchfile found /usr/share/nmap/nmap-rpc
Initiating RPCGrind Scan against victim (1.2 at 16:50
Sending initial query to port/prog 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=0 xid=2606FDA1
Sending initial query to port/prog 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=0 xid=2606FDA2
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Timeout, resending to portno/progno 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=1 xid=6606FDA2
Timeout, resending to portno/progno 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=1 xid=6606FDA1
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Timeout, resending to portno/progno 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=2 xid=FFFFFFFFA606FDA1
Timeout, resending to portno/progno 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=2 xid=FFFFFFFFA606FDA2
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
RPC Scan giving up on port 55491 proto 6 due to repeated lack of response
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Finished round. Current stats: numqueries_ideal: 2; min_width: 1; max_width: 150; packet_incr: 4; senddelay: 0us; fallback: 70%
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
^C

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Tue, Nov 10, 2009 at 05:06:19PM +0100, Lionel Cons wrote:
Content-Description: message body text
>
> Done. Here is the minimal set:
>
> # nmap -sS -sU -sR -p T:55491,U:111 <victim>

Thanks Lionel.  I've added this issue to the Nmap TODO.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Tue, Nov 10, 2009 at 05:06:19PM +0100, Lionel Cons wrote:
Content-Description: message body text
I can reproduce this using these commands:

ncat -l 55491 -k --send-only
ncat --udp -l 111 --sh-exec "/bin/cat > /dev/null"
nmap -sSUR -p T:55491,U:111 localhost

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Wed, Nov 11, 2009 at 08:54:04AM -0700, David Fifield wrote:
This is fixed in r16058. The bug was that the count of outstanding
queries wasn't being reset to 0 when Nmap gave up on the TCP port
because of a lack of replies. This prohibited further probes from benig
sent. The bug didn't require the use of both TCP and UDP, only that the
first port probed not send back any replies. For example this would do
it too:

ncat -l 55491 -k --send-only
ncat -l 55492 -k --send-only
nmap -sSUR -p T:55491,55492 localhost

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/