Nmap Development mailing list archives

Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed

From: Walt Scrivens <walts () gate net>
Date: Mon, 21 Sep 2009 07:28:50 -0400

Here's some more info - this time with 5.00. I did the same scanthrough Zenmap, running natively under Snow Leopard, and running as aWindows 7 VM under VMWare Fusion under Snow Leopard. Same computer,same network.I used the "canned" Intense Scan profile in Zenmap from the Windowsvm, and copy/pasted it into the Mac Zenmap since its version ofIntense Scan did not include the -PE -PS22,25,80 -PA21,23,80,3389

It looks to me as if the Mac user scan worked correctly, being thesame as the Windows scan less that which requires root to run. TheMac root scan fails miserably.

I'm happy to help in any way I can with diagnosing this, but I'mnowhere near as clever as most of you when it comes to digging intothe nmap code or the OS. I'm happy to run lots of scans and toprovide capture files from Wireshark if they will help. I don't havethe beta installed on the Windows 7 VM since I don't have thedevelopment environment installed there, but maybe later today I cando that.


Walt

Here's the command line that was used for both scans followed by theoutput:


First the Windows 7 scan:
=====================================
nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:06 EasternDaylight Time

NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 07:07
Scanning 192.168.1.1 [8 ports]
Completed Ping Scan at 07:07, 1.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:07
Completed Parallel DNS resolution of 1 host. at 07:07, 0.01s elapsed
Initiating SYN Stealth Scan at 07:07
Scanning 0ur1an (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 07:07, 2.34s elapsed (1000 total ports)
Initiating Service scan at 07:07
Scanning 3 services on 0ur1an (192.168.1.1)
Completed Service scan at 07:08, 74.48s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 0ur1an (192.168.1.1)
Initiating Traceroute at 07:08
192.168.1.1: guessing hop distance at 1
Completed Traceroute at 07:08, 0.03s elapsed
Initiating Parallel DNS resolution of 3 hosts. at 07:08
Completed Parallel DNS resolution of 3 hosts. at 07:08, 0.14s elapsed
NSE: Script scanning 192.168.1.1.
NSE: Starting runlevel 1 scan
Initiating NSE at 07:08
Completed NSE at 07:08, 4.34s elapsed
NSE: Script Scanning completed.
Host 0ur1an (192.168.1.1) is up (0.026s latency).
Interesting ports on 0ur1an (192.168.1.1):
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION

53/tcp open  domain  dnsmasq 2.33
80/tcp open  http?
|_ html-title: 0ur1an - Info
Device type: general purpose
Running: Apple Mac OS X 10.5.X
OS details: Apple Mac OS X 10.5.5 (Leopard)
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Linux; Device: WAP

TRACEROUTE (using port 22/tcp)
HOP RTT   ADDRESS
1   16.00 192.168.246.2
2   0.00  0ur1an (192.168.1.1)

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrectresults at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 104.19 seconds
           Raw packets sent: 1034 (47.206KB) | Rcvd: 1175 (51.683KB)
======================================

Now the Mac version:
======================================
nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:10 EDT
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 07:10
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 07:10, 0.21s elapsed (1 total hosts)
Read data files from: /usr/local/share/nmap

Note: Host seems down. If it is really up, but blocking our pingprobes, try -PN

Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
           Raw packets sent: 2 (84B) | Rcvd: 0 (0B)

=======================================

Then, just for grins, I tried the same scan from a command line as anordinary user


=======================================

testcomputer:~ walts$ nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389192.168.1.1

Warning:  You are not root -- using TCP pingscan rather than ICMP

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:18 EDT
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 07:18
Scanning 192.168.1.1 [6 ports]
Completed Ping Scan at 07:18, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:18
Completed Parallel DNS resolution of 1 host. at 07:18, 0.01s elapsed
Initiating Connect Scan at 07:18
Scanning 0ur1an (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed Connect Scan at 07:18, 2.14s elapsed (1000 total ports)
Initiating Service scan at 07:18
Scanning 3 services on 0ur1an (192.168.1.1)
Completed Service scan at 07:18, 6.02s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.1.1.
NSE: Starting runlevel 1 scan
Initiating NSE at 07:18
Completed NSE at 07:18, 4.26s elapsed
NSE: Script Scanning completed.
Host 0ur1an (192.168.1.1) is up (0.076s latency).
Interesting ports on 0ur1an (192.168.1.1):
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION

53/tcp open  domain  dnsmasq 2.33
80/tcp open  http    Linksys wrt54g DD-WRT firmware http config
|_ html-title: 0ur1an - Info
Service Info: OS: Linux; Device: WAP

Read data files from: /usr/local/share/nmap

Service detection performed. Please report any incorrect results at http://nmap.org/submit/.

Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
testcomputer:~ walts$
=========================================

...and finally as root:

=========================================

testcomputer:~ walts$ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1

Password:

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:20 EDT
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 07:20
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 07:20, 0.21s elapsed (1 total hosts)
Read data files from: /usr/local/share/nmap

Note: Host seems down. If it is really up, but blocking our pingprobes, try -PN

Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
           Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
testcomputer:~ walts$

==========================================

On Sep 21, 2009, at 5:03 AM, Norbert Szetei wrote:

Hello,
I reported also this problem a few days ago, on fresh show leopardinstallation (nmap 5.05BETA1) and without vmware.
s.

[SNIP]

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Follow up to NMAP on Snow Leopard with VMWARE Fusion installed James R. Marcus (Sep 18)
- Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Walt Scrivens (Sep 18)
  - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed James R. Marcus (Sep 18)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Walt Scrivens (Sep 18)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Norbert Szetei (Sep 21)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Walt Scrivens (Sep 21)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Jay Fink (Sep 21)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed David Fifield (Sep 22)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Walt Scrivens (Sep 23)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Jay Fink (Sep 23)
    - Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed Jay Fink (Sep 23)