nmap ActiveMq issue

Question

When I'm scanning only one port using nmap (nmap 5.21 version) on which my service is running, it is working fine (I'm able to login to my service which is running on port 28443).

nmap -P0 -sT -A -p 28443 -oN /root/abhiNmap.txt nmap v <IP>

but when I'm scanning all 65k port, scan is fine but after that I'm not able to login to service on same port. It gets hanged.

nmap -P0 -sT -A -p 1-65535 -oN /root/abhiNmap.txt nmap v <IP>.

though netstat -an | grep 28443, it is listening properly on same port.

Work around after which it is working fine: stop tomcat -> service activemq restart -> start tomcat.

I'm not able to correlated between nmap and activeMq. Is there any relation or something which is affecting activemq? Thanks in advance.

Answer 1

Troubleshooting hung services can be difficult. The first step would be to pare down the scan to the smallest set of probes that can reproduce the hang condition. Your command line includes the -A flag, which turns on all of Nmap's advanced features. Here are a few scans to try, and what they mean for the hung service:

1. nmap -sT -p1-65535 <IP> - A simple all-ports scan
2. nmap -sT -p1-10,28443 -O <IP> - OS detection would usually be skipped on a single-port scan, so we throw in some extra ports that are likely to be closed in order to force it.
3. nmap -sT -p1-65535 -sV <IP> - All-ports scan with service version detection. This is usually the phase that will crash services, since it sends many unique probes to open ports.
4. nmap -sT -p1-65535 -sV -sC <IP> - If the previous scan didn't crash it, this one may, since it runs extra NSE scripts that interact with open services.
5. nmap -sT -p1-65535 --traceroute <IP> - Very unlikely that this is the culprit, but it is the last feature that is included in -A.

Once you have a scan that will repeatedly crash the service, you should check the service's logs to see if you can understand why it crashed. You may also want to start removing ports from the scan to see which port is affecting your service: From your question, I would guess that 28443 is actually fine, but there may be another open port to another service that it interacts with, which is really the one that breaks.

Once you figure out what is the problem, you should take steps to ensure it doesn't continue to be a problem:

1. Use a firewall to limit access to the vulnerable service.
2. Send a bug report to the maintainers of the service software listing steps to reproduce the hang condition.
3. Send a message to dev@nmap.org with the steps to reproduce. The developers may be able to change the probes that are sent to this service to avoid a crash.
4. Contribute your findings to the Network Scanning Watch List so other people can avoid crashing their own services.

Finally, I would like to point out that Nmap 5.21 was released in 2010, and is now 4 years old. The latest version of Nmap is 6.40 as of this writing, and contains many bug fixes and new features.