4
2
Nmap is so slow as to be almost unusable on my Windows 8.1 laptop.
I'm using Nmap 6.40 and it's taking more than a minute to run a simple check that runs in a fraction of a second on other computers on the same network. I've tried several other computers with different versions of Nmap, but they all get the same result in a fraction of a second. Trying different scans and different targets on my laptop has the same results. It's not a slow laptop in general, core i7/16GB/SSD, other applications run fast enough
This is what Nmap says on my laptop (hostnames etc changed):
C:\Users\colinp>nmap -p4730 target
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 14:28 GMT Standard Time
Nmap scan report for target (192.168.1.1)
Host is up (0.0013s latency).
rDNS record for 192.168.1.1: target
PORT STATE SERVICE
4730/tcp open unknown
MAC Address: 2C:76:8A:00:00:00 (Hewlett-Packard Company)
Nmap done: 1 IP address (1 host up) scanned in 79.92 seconds
C:\Users\colinp>
vs an example Ubuntu computer on the same network:
colin@ubuntu:~$ nmap -p 4730 target
Starting Nmap 5.21 ( http://nmap.org ) at 2014-03-20 14:29 GMT
Nmap scan report for target (192.168.1.1)
Host is up (0.00044s latency).
rDNS record for 192.168.1.1: target
PORT STATE SERVICE
4730/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
colin@ubuntu:~$
EDIT: I just noticed the amount of time taken is suspiciously similar for another host, not sure if that means anything:
C:\Users\colinp>nmap -p4730 target2
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 14:47 GMT Standard Time
Nmap scan report for target2 (192.168.1.2)
Host is up (0.00013s latency).
rDNS record for 192.168.1.2: target2
PORT STATE SERVICE
4730/tcp closed unknown
MAC Address: 00:25:90:00:00:00 (Super Micro Computer)
Nmap done: 1 IP address (1 host up) scanned in 79.71 seconds
C:\Users\colinp>
Trying to scan a non-existant host is faster, but varies a lot, between 3 and 16 seconds. Again, that takes 0.03 seconds on the ubuntu server.
Name resolution does not seem to be a problem on my laptop, nslookup
returns almost instantly.
EDIT: output of diagnostic suggested by @bonsaiviking:
C:\Users\colinp>nmap -d -sL target
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 16:40 GMT Standard Time
Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.
1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
mass_rdns: Using DNS server 192.168.1.254
mass_rdns: Using DNS server 192.168.2.1
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
Initiating Parallel DNS resolution of 1 host. at 16:41
mass_rdns: 52.89s 0/1 [#: 8, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:41, 0.00s elapsed
DNS resolution of 1 IPs took 52.90s. Mode: Async [#: 8, OK: 1, NX: 0, DR: 0, SF:
0, TR: 1, CN: 0]
Nmap scan report for target (192.168.1.1)
rDNS record for 192.168.1.1: target
No data files read.
Nmap done: 1 IP address (0 hosts up) scanned in 53.36 seconds
IP addresses changed again. Of the DNS servers listed, 192.168.x.11
and 192.168.x.12
are my real DNS servers. No idea where the others come into this. They are not listed when I do ipconfig /all
although the following odd entry was under my connection to my internal Hyper-V switch:
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Don't know whether the problem is related to my running Hyper-V? Also I have no actively disabled IPv6, don't know whether that could be causing it?
more diagnostics, IP addresses still obscured, hopefully consistently...
C:\Users\colinp>nslookup -type=PTR 1.1.168.192.in-addr.arpa
Server: dns-at-my-company.example.com
Address: 192.168.x.12
1.1.168.192.in-addr.arpa.co.uk
primary name server = ns1.sedoparking.com
responsible mail addr = hostmaster.sedo.de
serial = 2007021501
refresh = 86400 (1 day)
retry = 10800 (3 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Previous command was missing a .
. This looks better:
C:\Users\colinp>nslookup -type=PTR 1.1.168.192.in-addr.arpa.
Server: dns-at-my-company.example.com
Address: 192.168.x.12
1.1.168.192.in-addr.arpa name = target
Diagnostics time: run as administrator, any change? Run
nmap -d -n -Pn -p 4730 target
, thennmap -d -n -sn target
, thennmap -d -sL target
. Which ones were slow, which were fast? This is running each phase of the scan separately to isolate the slow part. – bonsaiviking – 2014-03-20T16:36:41.160administrator, no change (I forgot to mention I tried that). Timings of those commands in order: 5.52, 4.65, 53.36. The output of the last one seems to suggest I have a DNS problem, though
nslookup
works fast enough. I'll post the output into a question edit – Colin Pickard – 2014-03-20T16:43:53.970It sounds like the problem is in reverse name resolution, then. Is this command also slow?
nslookup -type=PTR 1.1.168.192.in-addr.arpa
(obviously substitute your target's IP address in byte-reversed order) – bonsaiviking – 2014-03-20T16:48:50.317@bonsaiviking, thank you for your help. I think you might be onto something. If I understand what should be happening, I got a very odd result to that nslookup, which I've edited into the end of the question. – Colin Pickard – 2014-03-20T16:59:55.013
@bonsaiviking scratch that. I needed an extra
.
at the end of that command – Colin Pickard – 2014-03-20T17:05:48.487As a workaround while you figure out where those extraneous nameservers came from, use
--dns-servers 192.168.x.11,192.168.X.12
or the (usually slower)--system-dns
– bonsaiviking – 2014-03-20T17:11:14.073@bonsaiviking The original command combined with
--dns-servers 192.168.x.11,192.168.X.12
consistently returns in 3-4 seconds. I believe you have found the answer - my DNS settings are screwed. If you post it as an answer I will accept it. Thank you! – Colin Pickard – 2014-03-20T17:22:20.137