Why is Nmap slow on my Windows 8.1 laptop?

windows-8.1 nmap

Nmap is so slow as to be almost unusable on my Windows 8.1 laptop.

I'm using Nmap 6.40 and it's taking more than a minute to run a simple check that runs in a fraction of a second on other computers on the same network. I've tried several other computers with different versions of Nmap, but they all get the same result in a fraction of a second. Trying different scans and different targets on my laptop has the same results. It's not a slow laptop in general, core i7/16GB/SSD, other applications run fast enough

This is what Nmap says on my laptop (hostnames etc changed):

C:\Users\colinp>nmap -p4730 target 

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 14:28 GMT Standard Time
Nmap scan report for target (192.168.1.1)
Host is up (0.0013s latency).
rDNS record for 192.168.1.1: target
PORT     STATE SERVICE
4730/tcp open  unknown
MAC Address: 2C:76:8A:00:00:00 (Hewlett-Packard Company)

Nmap done: 1 IP address (1 host up) scanned in 79.92 seconds

C:\Users\colinp>

vs an example Ubuntu computer on the same network:

colin@ubuntu:~$ nmap -p 4730 target 

Starting Nmap 5.21 ( http://nmap.org ) at 2014-03-20 14:29 GMT
Nmap scan report for target (192.168.1.1)
Host is up (0.00044s latency).
rDNS record for 192.168.1.1: target 
PORT     STATE SERVICE
4730/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
colin@ubuntu:~$

EDIT: I just noticed the amount of time taken is suspiciously similar for another host, not sure if that means anything:

C:\Users\colinp>nmap -p4730 target2

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 14:47 GMT Standard Time
Nmap scan report for target2 (192.168.1.2)
Host is up (0.00013s latency).
rDNS record for 192.168.1.2: target2
PORT     STATE  SERVICE
4730/tcp closed unknown
MAC Address: 00:25:90:00:00:00 (Super Micro Computer)

Nmap done: 1 IP address (1 host up) scanned in 79.71 seconds

C:\Users\colinp>

Trying to scan a non-existant host is faster, but varies a lot, between 3 and 16 seconds. Again, that takes 0.03 seconds on the ubuntu server.

Name resolution does not seem to be a problem on my laptop, nslookup returns almost instantly.

EDIT: output of diagnostic suggested by @bonsaiviking:

C:\Users\colinp>nmap -d -sL target

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-20 16:40 GMT Standard Time
Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.
1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
mass_rdns: Using DNS server 192.168.1.254
mass_rdns: Using DNS server 192.168.2.1
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
mass_rdns: Using DNS server 192.168.x.12
mass_rdns: Using DNS server 192.168.x.11
Initiating Parallel DNS resolution of 1 host. at 16:41
mass_rdns: 52.89s 0/1 [#: 8, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:41, 0.00s elapsed
DNS resolution of 1 IPs took 52.90s. Mode: Async [#: 8, OK: 1, NX: 0, DR: 0, SF:
 0, TR: 1, CN: 0]
Nmap scan report for target (192.168.1.1)
rDNS record for 192.168.1.1: target
No data files read.
Nmap done: 1 IP address (0 hosts up) scanned in 53.36 seconds

IP addresses changed again. Of the DNS servers listed, 192.168.x.11 and 192.168.x.12 are my real DNS servers. No idea where the others come into this. They are not listed when I do ipconfig /all although the following odd entry was under my connection to my internal Hyper-V switch:

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1

Don't know whether the problem is related to my running Hyper-V? Also I have no actively disabled IPv6, don't know whether that could be causing it?

more diagnostics, IP addresses still obscured, hopefully consistently...

C:\Users\colinp>nslookup -type=PTR 1.1.168.192.in-addr.arpa
Server:  dns-at-my-company.example.com
Address:  192.168.x.12

1.1.168.192.in-addr.arpa.co.uk
        primary name server = ns1.sedoparking.com
        responsible mail addr = hostmaster.sedo.de
        serial  = 2007021501
        refresh = 86400 (1 day)
        retry   = 10800 (3 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

Previous command was missing a .. This looks better:

C:\Users\colinp>nslookup -type=PTR 1.1.168.192.in-addr.arpa.
Server:  dns-at-my-company.example.com
Address:  192.168.x.12

1.1.168.192.in-addr.arpa     name = target

Solution 1:

Solved in the comments: A problem with how Nmap is detecting DNS servers to use for its parallel reverse DNS resolution. Here is the diagnostics process and the final workaround:

First, you need to determine which phase of the Nmap scan is slowing you down. nmap -p4730 target will do a single-port TCP scan, but it will also do name resolution (if necessary), host discovery ("ping"), and reverse DNS name lookup. It's important to know whether you are running as administrator, too, since Nmap uses different approaches to all of these steps if it doesn't have sufficient privileges to use the best and fastest ones. Run these single-phase scans to determine which phase is the slow one:

  1. nmap -d -n -Pn -p 4730 target - Port scan phase only.
  2. nmap -d -n -sn target - Host discovery phase only.
  3. nmap -d -sL target - Reverse DNS resolution phase only.

From your comments, we determined that the slowpoke was reverse DNS resolution. Adding the -d flag showed that Nmap was choosing 4 different DNS servers, but only 2 of them were valid. Nmap's documentation suggests using the --dns-servers option to specify the correct ones in a comma-separated list. You can also use --system-dns to use your operating system's own DNS resolver instead of Nmap's parallel one. For scans of many hosts, this can be slower, but it's pretty much always guaranteed to work. These options are documented in more detail in the official Nmap Network Scanning book by Gordon "Fyodor" Lyon.

Our final workaround, then, is to determine the IP addresses of your DNS servers, then run Nmap with --dns-servers 192.168.X.X,192.168.X.Y with those servers' IP addresses.

Related

Open program/windows on specific monitor [duplicate]
Setting page numbering on Word
Can't install Powershell 3.0
Save QuickTime movie trailer files to computer without Pro
Change command prompt to only show current directory name
Windows application that debug battery consumption
Microsoft Wireless Display: black border around image (screen image is scaled down)
How does RAID 1 determine whether a disk is corrupted?
Firefox in Ubuntu : how to automate basic authentication password confirm dialog
Remove bad sectors on a hard disk in Windows 10
Brand new Seagate HDD has high raw read error rate
Windows 10: Set any browser as default when it does not show up in Settings?