Nmap Development mailing list archives
Re: Odd scanning error
From: "Kevin Nault" <prof.morbius () gmail com>
Date: Mon, 20 Oct 2008 19:11:18 -0600
I've actually run this down since, but didn't want to fire off another message to the group address for fear of causing confusion. The culprit is our Meru 802.11 WAPs; I don't know if that MAC is the MAC of the WAP(s) -- I haven't followed through that far -- but it only happens in the office with those WAPs and only while connected to wireless. It does still happen if I'm connected to both wired and wireless -- apparently either nmap or WinXP prefers the wifi. Thank you for the response, and let me know if there's anything further I can provide (like command output). On Sun, Oct 19, 2008 at 7:03 PM, David Fifield <david () bamsoftware com>wrote:
On Wed, Oct 01, 2008 at 10:19:08AM -0600, Kevin Nault wrote:I am using nmap version 4.76 on Windows XP (SP 3, fully up-to-date as of30Sept '08) on an HP/Compaq nx8230 laptop with a Broadcom 5700-seriesEthernetNIC and an Intel 2200BG wifi NIC. Any network scan I do returns every address (empty or full) as having a Lanner Electronics ethernet card with a MAC address of 00:90:0B:0D:72:6F--whether the device exists or not, responds or not, and regardless of what NIC and MAC the device actually has. Every address (whether a deviceexiststhere or not) is also reported as having TCP port 1720 (H.323/Q.931) open|filtered. If I don't include 1720 in the TCP port list, all ports report as "filtered". Devices which do exist report their port lists accurately, though 1720 will be added to the list if it is scanned for. I have a custom-built computer physically next to this one, plugged intothenext port on the same switch, with the same OS, running nmap 4.20 thatdoesnot do this -- MAC addresses, the absense of devices, and the state ofport1720 are reported accurately. The only IDS/IPS device on this network is a SonicWall firewall running current software, but its MAC is 00:06:B1:XX:XX:XX (different last three bytes from the Lanner address above). I love nmap and use it at least weekly. Help?This is indeed a strange error. Can you send me or Fyodor a scan log using the options -d3 --packet-trace? Does it happen with both the wired and wireless NICs, or nust one of them? With TCP scans, the open|filtered state is usually only possible with FIN, NULL, and Xmas scans. Getting it with a SYN scan would point to a bug in Nmap. My best guess is that there's some software on the Windows XP machine causing this. You could try uninstalling Nmap, then reinstalling version 4.20 from http://nmap.org/dist-old/nmap-4.20-setup.exe. Another thing, which you shouldn't bother doing unless you have a live CD handy, is to boot the XP machine with a GNU/Linux live CD and try running Nmap under that. If it doesn't give the strange behavior then it points to a problem with the XP setup. David Fifield
-- Religion, or the duty which we owe our Creator, and the manner of discharging it, can be directed only by reason and conviction, not by force and violence; and therefore all men are equally entitled to the free exercise of religion, according to the dictates of conscience. -- James Madison _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Odd scanning error Kevin Nault (Oct 01)
- Re: Odd scanning error David Fifield (Oct 19)
- Re: Odd scanning error Kevin Nault (Oct 21)
- Re: Odd scanning error David Fifield (Oct 19)