Nmap Development mailing list archives
Re: nmap -sP showing hosts is up while it is down
From: nmapuseraix <nmapuseraix () o2 pl>
Date: Thu, 25 Feb 2010 17:46:46 +0100
Hi, Thanks for tips. The reference guide has more information that nmap docs; I should have RTM... I have tried running nmap like that: nmap -n -sP -PE <bigScope> and it seems to be smarter and there are no false-positives. When I added --reason: Host 10.33.7.0 appears to be up, received reset. Host 10.33.7.1 appears to be up, received reset. With -PE it recognized that host is down (because it tries to connect to one port). -- Rgds, Bart Dnia 25 lutego 2010 17:03 Rob Nicholls <robert () robnicholls co uk> napisaĆ(a):
On Thu, 25 Feb 2010 15:37:18 +0100, nmapuseraix <nmapuseraix () o2 pl> wrote:When I ping (using "ping") those hosts they do not respond to echo.Nmap's -sP command sends more than an ICMP echo request: http://nmap.org/book/man-host-discovery.html "The -sP option sends an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default"Running: nmap -n -sP -T4 10.33.7.0/24 Results in: Nmap done: 256 IP addresses (256 hosts up) scanned in 0.12 seconds Timing doesn't seem correct as well, so why is nmap acting like that?Bug? Are you on the same subnet? From the same link as above: "When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified" ARP responses are typically pretty quick. I must admit I'd expect it to take a few seconds to scan a class C, but that's if most hosts are down. Something appears to be responding to ARP requests for every IP address, which might explain why it was so quick. This is sometimes down to poor/lazy network configuration. You can add "--reason" to your command to see if they're marked as up because you're getting an arp-response back. If you're not on the same subnet, perhaps you're hitting a firewall that returns TCP resets for hosts that don't exist (some firewalls do this to avoid long connection timeouts for users)? Again, "--reason" will help you work out why Nmap thinks the host at that IP address is up. This might explain why you're seeing every host in other class C ranges coming back as up. Either that or all of them have TCP ports 80 and/or 443 open! Rob
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap -sP showing hosts is up while it is down nmapuseraix (Feb 25)
- Re: nmap -sP showing hosts is up while it is down Rob Nicholls (Feb 25)
- Re: nmap -sP showing hosts is up while it is down nmapuseraix (Feb 25)
- Re: nmap -sP showing hosts is up while it is down Rob Nicholls (Feb 25)