0

I have a CentOS 6 server with nmap 5.51 installed on it. I issue the following command:

nmap -sS -PN -p1-1024 --traceroute --reason -O -sV {My IP} -vv

(This is all "don't quote me")
-sS is a type of scan where TCP connections are not fully established
-PN means skip checking if host is online
-p1-65535 is the port range
--traceroute means add traceroute
--reason "Shows the reason each port is set to a specific state and the reason each host is up or down."
-O means OS detection
-sV detects the version of the program listening on each port
-vv means "be verbose"

So anyway... I run this command, wait a few minutes, it prints the result and EXITS. I open another terminal window (or tab), try to connect to that same server through SSH... And the connection times out. This happens every time, and only after running nmap. Rebooting is the only thing that fixes it.

It seems that if I already have a connection, it keeps communicating, but new ones get refused. Like I said, nmap has already exited, and I made sure it's not in the process list (ps uax | grep nmap).

And another thing, the weirdest of all: everything is fine while nmap runs. It's when it goes away that shenanigans start.

But this is not consistent. When I added the argument -T2 ("polite" scanning), the server went down instantly, including existing connections.

What next?

Note that the server that screws up is the one that does the scanning, not the target.

Danny Beckett
  • 20,529
  • 24
  • 107
  • 134
Tiiba
  • 67
  • 5
  • Noone can connect to the server or only the machine from where you did the nmap scan ? – golja Jul 19 '12 at 23:55
  • That was a damn good question. Now, the server did the scan. The target was my computer. And as it turns out, another computer was still able to connect while the target couldn't. So it's the target's fault? – Tiiba Jul 20 '12 at 00:44
  • 5
    Maybe you have some kind of IDS which blocks the traffic after an nmap abuse ? :) – golja Jul 20 '12 at 00:46
  • As golja suggested you should definitely take a look at your firewall, Nmap opens thousands of connections with the target host and even more with the parameters you've given. However I had a similar problem and it turned out my maximum number of connections wasn't high enough. Increasing it and working with sysctl did the trick. – raz3r Jul 24 '12 at 13:03
  • Actually, a lot of it depends on the environment you are scanning in. If its a Linux server with AppArmor/SELinux enabled, there's a good chance that's how you are getting blocked. A good way to check is by scanning from a machine on Network A, and attempting a connection from another machine from the same Network A. This could indicate IP blacklisting, and that's what's happening. If you have more information on the environment between your system, and the target system, that would help in figuring out why connections are dropping. – Karthik Rangarajan Jul 25 '12 at 03:40
  • Have you tried running tcpdump on the server's incoming interface to see what happens to the syn packet sent by your client/target when initiating the connection? Is a Syn/Ack, RST returned or is it the packet ignored? I think you have to start tracing the packets on the wire. – Mark Hillick Jul 25 '12 at 09:04

1 Answers1

0

  1. Disable SELinux

  2. Disable IPtables

  3. Extra information http://nmap.org/book/man-bypass-firewalls-ids.html

Satish
  • 16,544
  • 29
  • 93
  • 149