nmap icon indicating copy to clipboard operation
nmap copied to clipboard
verified publisher icon nmap

Port statereason issue

Open dksslq opened this issue 1 year ago • 1 comments

Keep the oldstate but use new-reason value.

scan_engine_raw.cc#L2111 get_pcap_result

bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
......
      // update port state, may stay old
      ultrascan_port_probe_update(USI, hss, probeI, newstate, &rcvdtime, adjust_timing);
      if (USI->prot_scan)
        hss->target->ports.setStateReason(protocol, IPPROTO_IP,
                                          current_reason, hdr.ttl, &reason_sip);
      else
        hss->target->ports.setStateReason(dport, protocol,
                                          current_reason, hdr.ttl, &reason_sip);
......

scan_engine.cc#L2117 ultrascan_port_probe_update

void ultrascan_port_probe_update(UltraScanInfo *USI, HostScanStats *hss,
                                 std::list<UltraProbe *>::iterator probeI,
                                 int newstate, const struct timeval *rcvdtime,
                                 bool adjust_timing_hint) {
  const UltraProbe *probe = *probeI;
  const probespec *pspec = probe->pspec();

  ultrascan_port_pspec_update(USI, hss, pspec, newstate);

  ultrascan_adjust_timeouts(USI, hss, probe, rcvdtime);
......

scan_engine.cc#L1884 ultrascan_port_pspec_update

static bool ultrascan_port_pspec_update(const UltraScanInfo *USI,
                                        HostScanStats *hss,
                                        const probespec *pspec,
                                        int newstate) {
  u16 portno = 0;
  u8 proto = 0;
  int oldstate = PORT_TESTING;
  /* Whether no response means a port is open */
  bool noresp_open_scan = USI->noresp_open_scan;

  ......
  hss->target->ports.setPortState(portno, proto, newstate, &oldstate);

  if (newstate != oldstate) {
    switch (oldstate) {
      ......
      case PORT_OPEN:
        if (!noresp_open_scan) {
          hss->target->ports.setPortState(portno, proto, oldstate);
        }
        break;
      ......
      default:
        fatal("Unexpected port state: %d\n", oldstate);
        break;
    }
  }

  return oldstate != newstate;
}

In rare cases, initial syn probe response syn-ack, the following probe receives a reset. This results in port state keep open, but set new statereason `reset` after ultrascan_port_probe_update(...); at scan_engine_raw.cc#L2116 And scan result sample:

......
Discoverd open port 6060 .....
Nmap scan report for x.x.x.x
Host is up, received user-set (0.18s latency).
Not shown: 65504 filtered tcp ports (no-response), 6 filtered tcp ports (admin-prohibited), 14 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE         REASON
6060/tcp  open  x11             reset ttl 48
......
Read data files from: /root/nmap
Nmap done: 1 IP address (1 host up) scanned in 130.24 seconds

Is this as expected?

dksslq avatar Mar 27 '24 08:03 dksslq

--max-retries 0 suppress this

dksslq avatar Mar 27 '24 08:03 dksslq