Timeout issues when scanning multiple nets

[ruppde]

The script gives different results depending on if it's used for scanning multiple nets or single IPs. There are hosts which sometimes give this result when scanning multiple nets:

443/tcp open  https
|_http-vuln-exchange: Error nil for /owa

And if I scan the same IP 20 times alone, I always get:

443/tcp open  https
|_http-vuln-exchange: (15.1.845) Exchange 2016 VULNERABLE! (< 15.1.2106)
```

Probably some timeout issue.

[GossiTheDog]

yeah I've noticed this myself, I think it's an nmap bug :(

[ruppde]

Could be possible. Tried to hunt it down but works properly if run with -dd :( Adding a timeout to the http call neither helped.

A workaround might be doing a portscan first and feeding only the IPs with open ports to the script scan.

Here's another nice nmap bug (linux only), watch the netmask vs. pinged IPs ;)
$ nmap -sL 10.10.128/17 -n |head -5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-18 18:09 CET
Nmap scan report for 10.10.0.0
Nmap scan report for 10.10.0.1
Nmap scan report for 10.10.0.2
Nmap scan report for 10.10.0.3

[ruppde]

wow, it seems to be this silly bug:
Nmap: slow HTTPS service on a fast responding host makes NSE scripts fall-back to HTTP on HTTPS port and thus missing everything
nmap/nmap#2094

I see random ack (not syn) packets sent to :80 during the scan with tcpdump:

...................http: Flags [.], ack 3004513962, win 1024, length 0

Using --min-rtt-timeout 30 as suggested took ages but --min-rtt-timeout 3 also did the trick and was ok from the speed.

Didn't find a way to set the min-rtt in the script, maybe just a README and printed warning plus sleep(3) ?