Nmap Development mailing list archives

Re: -NP ignored when running as root

From: David Fifield <david () bamsoftware com>
Date: Wed, 22 Jul 2009 09:30:00 -0600

On Thu, Jul 16, 2009 at 06:58:51PM -0400, Mike Calmus wrote:

I just downloaded and built nmap 5.0 on MacOSX 10.5.7. When I run a  
simple scan on a Windows 7 box it seems to ignore the -NP setting when I 
run as root. It works fine when I run as an unprivileged user:

bash-3.2$ sudo nmap -PN -A -v 192.168.1.190

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 18:48 EDT
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 18:48
Scanning 192.168.1.190 [1 port]
Completed ARP Ping Scan at 18:48, 0.22s elapsed (1 total hosts)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (0 hosts up) scanned in 0.54 seconds
           Raw packets sent: 2 (84B) | Rcvd: 0 (0B)


bash-3.2$ nmap -PN -A 192.168.1.190

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 18:50 EDT
Stats: 0:01:44 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Interesting ports on 192.168.1.190:
Not shown: 993 filtered ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
554/tcp   open  rtsp?
2869/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5357/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ html-title: Service Unavailable
10243/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ html-title: Not Found
Service Info: OS: Windows


I sent Mike a patch based on the problem report by Marcus Haebler here:

http://seclists.org/nmap-dev/2009/q1/0176.html

The problem is that some operating systems send their ARP replies to the
broadcast address. Nmap didn't receive them with its BPF filter of
        arp and ether dst host 0xAABBCCDDEEFF
Marcus's suggestion was to look inside the ARP packet, at the target
address field, with a filter like
        arp and arp[18:4] = 0xAABBCCDD and arp[22:2] = 0xEEFF

The patch worked for Mike and worked in my own testing against unicast
ARP replies, so I applied it in r14498.

I haven't been able to find much on the web about this phenomenon,
except for this mailing list post which Marcus also noted:

http://unix.derkeiler.com/Mailing-Lists/SunManagers/2009-01/msg00009.html

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Nmap 5.00 Fyodor (Jul 16)
- -NP ignored when running as root Mike Calmus (Jul 16)
  - Re: -NP ignored when running as root David Fifield (Jul 16)
    - Re: -NP ignored when running as root Mike Calmus (Jul 16)
    - Re: -NP ignored when running as root Brandon Enright (Jul 16)
    - Re: -NP ignored when running as root Mike Calmus (Jul 18)
    - Re: -NP ignored when running as root David Fifield (Jul 18)
    - Message not available
    - Re: -NP ignored when running as root Michael Pattrick (Jul 18)
    - Re: -NP ignored when running as root Mike Calmus (Jul 18)
  - Re: -NP ignored when running as root David Fifield (Jul 22)