same nmap command giving different results on Lame machine

Hi Team,

I am facing below issue ,
When I am executing the same nmap command twice I am getting different results and also some ports are invisible even though if I use -p- switch

[email protected]:~/Desktop# nmap -Pn 10.10.10.3 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 14:31 EDT
Nmap scan report for 10.10.10.3
Host is up (0.28s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
139/tcp open netbios-ssn
3632/tcp open distccd

[email protected]:~/Desktop# nmap -Pn 10.10.10.3 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 14:56 EDT
Nmap scan report for 10.10.10.3
Host is up (0.26s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
21/tcp open ftp
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 1567.73 seconds

nmap -Pn 10.10.10.3 -T2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 13:55 EDT
Nmap scan report for 10.10.10.3
Host is up (0.35s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1603.56 seconds

Any pointers to the above issue will be helpful

Thanks and Regards
Bipin Patil

Tagged:

Comments

  • I've had this happen a couple of times and assumed it was just because the service(s) that didn't show up were overloaded with brute force attempts etc, or maybe just the whole machine is running extremely slow and can't service the network request. You have to remember these HTB machines run on pretty limited resources (only 1 CPU core and 2 GB of RAM is the maximum suggested when you submit a machine) and have potentially hundreds of people attacking them at once.

    All I can suggest is either move your VPN to a different region so you get a different machine to connect to, or consider purchasing VIP which has way fewer people on each machine and generally just runs a lot smoother

  • Type your comment> @VbScrub said:

    I've had this happen a couple of times and assumed it was just because the service(s) that didn't show up were overloaded with brute force attempts etc, or maybe just the whole machine is running extremely slow and can't service the network request. You have to remember these HTB machines run on pretty limited resources (only 1 CPU core and 2 GB of RAM is the maximum suggested when you submit a machine) and have potentially hundreds of people attacking them at once.

    All I can suggest is either move your VPN to a different region so you get a different machine to connect to, or consider purchasing VIP which has way fewer people on each machine and generally just runs a lot smoother

    Hi VbScrub,

    Thanks for your reply .
    I am try reconnecting VPN and also from the different location machine (Switching from EU to US) . I have VIP access but iam facing same issue. Only the below nmap command switch gives me consisting output.
    nmap -Pn 10.10.10.3 -T2

  • is your internet quite slow or unreliable? If it only works when you use -T2 to slow nmap down (T3 is the default speed) then I would say it seems like your internet is just not able to handle the default speed that nmap uses. If I try and use T5 then I have issues presumable because my internet speed isn't fast enough for that to work nicely, so I use T4 personally. But yeah you might just need to use T2 with yours

  • Type your comment> @VbScrub said:

    is your internet quite slow or unreliable? If it only works when you use -T2 to slow nmap down (T3 is the default speed) then I would say it seems like your internet is just not able to handle the default speed that nmap uses. If I try and use T5 then I have issues presumable because my internet speed isn't fast enough for that to work nicely, so I use T4 personally. But yeah you might just need to use T2 with yours

    Hi VbScrub,

    Thanks for your reply.

    I have internet connection with download speed always greater than 10MBPS and Upload Speed greater than 4 MBPS, I think this is sufficient internet speed.

    Thanks and Regards
    Bipin Patil

  • hmm that would be considered pretty slow for internet speed where I live. I just did a speed test and mine is around 80 Mbps download and 10 Mbps upload (and most people I know have similar speeds, if not better). I think you might just need to always use the -T2 option on nmap to account for your internet. The nmap documentation describes the speeds as:

    "T4 speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally T5 mode assumes that you are on an extraordinarily fast network"

    So from that I would assume that T1 and T2 go the opposite way and that if you're on a slower network, you need to use those. Remember that when they say "network" they are possibly talking about local networks (which usually run at over 100 Mbps), not internet connections which are obviously much slower a lot of the time

  • Type your comment> @VbScrub said:

    hmm that would be considered pretty slow for internet speed where I live. I just did a speed test and mine is around 80 Mbps download and 10 Mbps upload (and most people I know have similar speeds, if not better). I think you might just need to always use the -T2 option on nmap to account for your internet. The nmap documentation describes the speeds as:

    "T4 speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally T5 mode assumes that you are on an extraordinarily fast network"

    So from that I would assume that T1 and T2 go the opposite way and that if you're on a slower network, you need to use those. Remember that when they say "network" they are possibly talking about local networks (which usually run at over 100 Mbps), not internet connections which are obviously much slower a lot of the time

    Thanks a lot for your help and suggestion.
    I will use always -T2 Switch.

  • -T2 will make it pretty damn slow though, that's the only thing. So you might want to limit the number of ports you scan, instead of scanning all 65,535 ports. When scanning Windows machines I generally only scan the first 6,000 ports to start with and then if I get really stuck I'll scan the rest just to see if there was anything there. But so far on 90% of the machines I've done, the first 6000 ports have been all I've needed to know about. It might be different for Linux machines though.

Sign In to comment.