Re: -sP showing all hosts in request as up

[David Fifield <david () bamsoftware com>]

On Wed, Aug 26, 2009 at 11:00:44AM -0500, Terry wrote:
> On Wed, Aug 26, 2009 at 10:53 AM, David Fifield<david () bamsoftware com> wrote:
> > Nmap has a lot of ways to find out if a host is up, and ICMP echo (ping)
> > is just one of them. It's possible that Nmap finds a host up when ping
> > finds it down. Those hosts above that say "echo-reply" got a ping reply.
> > The ones that say "reset" got a RST from Nmap's ACK to port 80 or SYN to
> > port 443.
> >
> > It is possible that there is a firewall or something spoofing the RST
> > replies. If you're sure those addresses are not really up you can try
> > looking for the device that's doing that.
>
> It's all internal and the firewall isn't logging anything special.  I
> am sure they are down.  I want the fastest way to determine if
> something is listening on an IP.  This is all internal so I will
> ensure that this scanning host has full access to everything it is
> scanning.

If something is spoofing RSTs then one thing you can do is avoid sending
probes that can get a RST. Nmap's default host discovery is
        -PE -PA80 -PS443 -PP
Try removing the -PA and -PS that can get a RST, and use the options
        -PE -PP
-PE on its own is the same as the ping program. Adding -PP (timestamp
request) may find slightly more hosts).

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org