# nmap 5.61 scanning very slowly



## fluca1978 (Nov 19, 2012)

Hi all,
I've just set up a virtual machine to do some experiments, and compiled security/nmap but doing a scan against localhost is really slow, as reported below:


```
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2012-11-19 15:14 CET
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.50% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 6.17% done; ETC: 15:15 (0:01:01 remaining)
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 10.52% done; ETC: 15:17 (0:03:24 remaining)
Stats: 0:06:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 16.04% done; ETC: 15:52 (0:32:07 remaining)
Stats: 0:28:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 37.90% done; ETC: 16:29 (0:46:37 remaining)
Stats: 0:41:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.38% done; ETC: 16:35 (0:40:30 remaining)
```

I'm using 9.0-RELEASE:


```
# uname -a
FreeBSD bsdmag 9.0-RELEASE 
FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:15:25 UTC 2012     
root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
```

Any idea about what could be going wrong here?


----------



## chatwizrd (Nov 19, 2012)

What flags did you use when you ran the nmap command.


----------



## SirDice (Nov 19, 2012)

If there's firewall scanning will be slow because it waits for a time-out before moving to the next port. If there is no firewall a SYN packet would immediately receive a RST (if the port was closed) or a SYN/ACK (if the port was open).


----------



## mamalos (Nov 20, 2012)

So what I think SirDice implies, is that it is highly probable that you're probing a firewalled machine that uses a firewall configuration which "makes" probing slow. This is a very common case and is related to the target machine, not the source.


----------



## fluca1978 (Nov 20, 2012)

I don't use any command flags:


```
# nmap localhost                           
                                                                                          
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2012-11-20 08:19 CET                       
Stats: 0:06:50 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan           
SYN Stealth Scan Timing: About 14.82% done; ETC: 09:05 (0:39:17 remaining)                
Stats: 0:13:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan           
SYN Stealth Scan Timing: About 21.56% done; ETC: 09:22 (0:49:54 remaining)                
Stats: 0:28:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan           
SYN Stealth Scan Timing: About 36.45% done; ETC: 09:38 (0:50:19 remaining)                
Stats: 0:30:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan           
SYN Stealth Scan Timing: About 38.12% done; ETC: 09:39 (0:49:39 remaining)                
Nmap scan report for localhost (127.0.0.1)                                                
Host is up (0.00040s latency).                                                            
Not shown: 998 closed ports                                                               
PORT   STATE SERVICE                                                                      
22/tcp open  ssh                                                                          
25/tcp open  smtp                                                                         
                                                                                          
Nmap done: 1 IP address (1 host up) scanned in 10283.28 seconds
```

In my /etc/rc.conf I don't have any option to enable a firewall, and my /etc/defaults/rc.conf reports a _firewall_enable="NO"_, so I don't believe the problem is with firewalls. I've tied removing it and installing from packages instead of from ports, but the situation did not change.

So far only two things come into my mind:
1) the package/port is compromised (I don't think so)
2) there is some configuration in the network that is slowing done the process against myself.

Being a virtual machine, I will try to move it to another environment and report back the results.


----------



## bbzz (Nov 20, 2012)

Even with firewall, nmap is optimized to classify ports as _filtered_ much sooner. My guess is, the issue is virtual machine.
Try running on regular host, and try latest version.


----------



## mamalos (Nov 20, 2012)

On a non firewalled FreeBSD machine (in Virtualbox) I ran:
`# time nmap -P0 -sT -v localhost` 
and it took approximately 10 seconds to complete. On the same host I ran: 
`# time nmap -v` 
9 minutes ago and it still hasn't finished (it's in 78% now, and goes slower and slower).

So, before moving to a different machine, I'd recommend you to just use some options combination that will speed up your search. For the various options you can always consult nmap's man page.


----------



## fluca1978 (Nov 21, 2012)

The _-sT_ option solved the problem and made the scan being very fast. As far as I understand such option makes nmap using the operating system's connect when testing a port. I'm wondering what the reason for having a nmap-connect being so slow.


----------



## mamalos (Nov 21, 2012)

Maybe for performing a more stealthy scan?


----------

