Nmap os scan hangs #2104
Description
Bug
When triggering a nmap OS scan for a specific host, nmap hangs with CPU usage 100%. This doesn't happen systematically but quite often
To Reproduce
sudo nmap -O -p 1027,1028,5000,443,8081,80,8080,1026,1025 --open -Pn -ddd -vv 85.2.144.13
if it doesn't happen the first time, please repeat for 3 to 5 times and you should encounter the issue.
- Log:
The log hangs at this point
Host 85.2.144.13. ProbesToSend 8: ProbesActive 6
SENT (3.2078s) TCP [192.168.1.6:38140 > 85.2.144.13:443 SFPU seq=2929557940 ack=217905394 off=10 res=0 win=256 csum=0xCED1 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=14722 foff=0 ttl=47 proto=6 csum=0xab7c]
Send probe (type: OFP_T1_7, subid: 2) to 85.2.144.13
pcap wait time is 24807.
Rejecting TCP packet because of bad TCP header
Host 85.2.144.13. ProbesToSend 7: ProbesActive 7
pcap wait time is 23720.
Host 85.2.144.13. ProbesToSend 8: ProbesActive 6
SENT (3.2331s) TCP [192.168.1.6:38141 > 85.2.144.13:443 A seq=2929557940 ack=217905394 off=10 res=0 win=1024 csum=0xCBEB urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=49426 flg=D foff=0 ttl=45 proto=6 csum=0xe5eb]
Send probe (type: OFP_T1_7, subid: 3) to 85.2.144.13
pcap wait time is 24787.
- gdb bt:
(gdb) bt
#0 0x000055b6c370f232 in readip_pcap(pcap*, unsigned int*, long, timeval*, link_header*, bool) ()
#1 0x000055b6c370f33d in readipv4_pcap(pcap*, unsigned int*, long, timeval*, link_header*, bool) ()
#2 0x000055b6c36d1bd7 in OSScan::os_scan_ipv4(std::vector<Target*, std::allocator<Target*> >&) ()
#3 0x000055b6c36d2a26 in OSScan::os_scan(std::vector<Target*, std::allocator<Target*> >&) ()
#4 0x000055b6c36c47c0 in nmap_main(int, char**) ()
#5 0x000055b6c3695cc6 in main ()
- Top:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19718 root 20 0 67876 22928 1316 R 100.0 0.1 45:47.65 nmap
- ps:
$ ps -ef |grep nmap
root 19717 20920 0 10:24 pts/11 00:00:00 sudo nmap -O -p 1027,1028,5000,443,8081,80,8080,1026,1025 --open -Pn -ddd -vv 85.2.144.13
root 19718 19717 99 10:24 pts/11 00:46:35 nmap -O -p 1027,1028,5000,443,8081,80,8080,1026,1025 --open -Pn -ddd -vv 85.2.144.13
Expected behavior
Nmap os scan finishes in less than 30s.
Version info (please complete the following information):
- OS:
Linux 5.4.0-42-generic #46~18.04.1-Ubuntu x86_64 x86_64 x86_64 GNU/Linux - Output of
nmap --version:
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.0.2n nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select