Nmap Development mailing list archives
Re: Windows 7
From: Christian Savalas <csavalas () gmail com>
Date: Fri, 4 Feb 2011 12:59:03 -0800
Hi again, It's really ironic that after a year of tooling with this I would discover new information a few minutes after finally sendig you guys a message! After I hit send, I realized I hadn't tried it on a wired ethernet connection for two revisions. Lo and Behold, it works... Cool! And on the wireless side, I discovered that the addition of the -sT switch with -Pn does indeed produce the expected results, but I may as well use Superscanner for that ;) I should have mentioned in my first message that all other Windows net tools like ping, tracert work just fine on any address, using the wireless interface. And I have indeed visited scanme.nmap.org with a browser. What's odd is that nmap works fully with ethernet, only partially (tcpip.sys style -sT) with wireless. Does this point to the winpcap library? I would think so, but then again, Wireshark appears to capture packets. I got excited about your suggestion to specify the interface explicitly, but then I remembered what I discovered about the scan working with the -sT switch, with no explicit selection of interface. Needless to say, I did try it, with no different results. The command: "nmap -d -Pn -e eth16 scanme.nmap.org" yields the resulting output: --------------------------------- --------------------------------- Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) Starting Nmap 5.50 ( http://nmap.org ) at 2011-02-04 11:50 Pacific Standard Time PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- mass_rdns: Using DNS server 192.168.1.1 mass_rdns: Using DNS server 192.168.1.1 mass_rdns: Using DNS server 192.168.1.1 Initiating Parallel DNS resolution of 1 host. at 11:50 mass_rdns: 0.02s 0/1 [#: 3, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 11:50, 0.01s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 11:50 Scanning scanme.nmap.org (64.13.134.52) [1000 ports] Packet capture filter (device eth16): dst host 192.168.1.133 and (icmp or ((tcp or udp or sctp) and (src host 64.13.134.52))) SYN Stealth Scan Timing: About 14.50% done; ETC: 11:53 (0:03:03 remaining) SYN Stealth Scan Timing: About 29.50% done; ETC: 11:53 (0:02:26 remaining) " " Completed SYN Stealth Scan at 11:53, 203.00s elapsed (1000 total ports) Overall sending rates: 9.85 packets / s, 433.50 bytes / s. Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up, received user-set. All 1000 scanned ports on scanme.nmap.org (64.13.134.52) are filtered because of 1000 no-responses Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 203.38 seconds Raw packets sent: 2000 (88.000KB) | Rcvd: 0 (0B) --------------------------------- --------------------------------- As you can see, the host is declared up, with no open ports. And now with -Pn removed from the command (nmap -d -e eth16 scanme.nmap.org), I am left with this: --------------------------------- --------------------------------- Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) Starting Nmap 5.50 ( http://nmap.org ) at 2011-02-04 11:56 Pacific Standard Time PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Initiating Ping Scan at 11:56 Scanning scanme.nmap.org (64.13.134.52) [4 ports] Packet capture filter (device eth16): dst host 192.168.1.133 and (icmp or ((tcp or udp or sctp) and (src host 64.13.134.52))) Completed Ping Scan at 11:56, 4.39s elapsed (1 total hosts) Overall sending rates: 1.82 packets / s, 69.28 bytes / s. mass_rdns: Using DNS server 192.168.1.1 mass_rdns: Using DNS server 192.168.1.1 mass_rdns: Using DNS server 192.168.1.1 Nmap scan report for scanme.nmap.org (64.13.134.52) [host down, received no-response] Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 4.75 seconds Raw packets sent: 8 (304B) | Rcvd: 0 (0B) --------------------------------- --------------------------------- So strange, because the output seems to have resolved the domain to the ip 64.13.134.52, and, beyond that, "ping" works from the command prompt. Lastly, I have tried capturing packets with Wireshark while running the scan with AND without -Pn, but I am by no means an expert on packet analysing. I attached the two logs for you, just in case it would help. From my untrained eye, I honestly don't see any NMap traffic. I sincerely appreciate you getting back to me so soon, and I hope to hear from you with good news! All the best, Christo On Fri, Feb 4, 2011 at 1:58 AM, Rob Nicholls <robert () robnicholls co uk> wrote:
Hi Christo On Fri, 4 Feb 2011 01:01:18 -0800, Christian Savalas wrote:Despite this, regardless of which address I scan, (even scanme.nmap.org) I am told that 0 hosts are up.If you add -Pn to the Nmap commands you're running, Nmap will assume the host is up and should attempt to scan the host. Are you able to use Windows' built in "ping" utility to ping a remote host over the internet? e.g.ping scanme.nmap.orgPinging scanme.nmap.org [64.13.134.52] with 32 bytes of data: Reply from 64.13.134.52: bytes=32 time=145ms TTL=50 Reply from 64.13.134.52: bytes=32 time=145ms TTL=50 Reply from 64.13.134.52: bytes=32 time=145ms TTL=50 Reply from 64.13.134.52: bytes=32 time=145ms TTL=50 This is one of the checks that Nmap tries to determine if a host is up. If you don't get a response then it's possible that your ISP is filtering ICMP traffic. Are you able to view http://scanme.nmap.org using your browser? You should get a white page with a message from Fyodor in black text. If you can see this, then you can access port 80/TCP. This is another port that Nmap will try in order to determine whether a host is up. If you can't see the web page then something bad is happening. Have you tried running Wireshark at the same time as an Nmap scan? This would let you see if packets are sent from or returned to your host. I'd be surprised if Nmap is failing to identify the returned packets, but this might happen if you have teamed NICs, for example. If you add -d to the Nmap command you'll see some debug information, including a line like: Packet capture filter (device eth7): dst host xx.xx.xx.xx and (icmp or ((tcp or udp or sctp) and (src host xx.xx.xx.xx))) If you run "nmap --iflist" you should see a list of interfaces (and routes). It's possible that the correct NIC isn't picked up by Nmap and it's trying to send packets over the wrong interface (and getting nothing back). You can use -e to state the correct interface to use, e.g.nmap scanme.nmap.org -e eth7Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-02-04 09:57 GMT Standard Time Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up (0.15s latency). Not shown: 993 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 70/tcp closed gopher 80/tcp open http 113/tcp closed auth 31337/tcp closed Elite Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds Rob
-- Christian Savalas Marina Pointe Tech Support 13600 Marina Pointe Drive Marina Del Rey, CA 90292 +1 (310) 343-2000 (cell) -- Christian Savalas Marina Pointe Tech Support 13600 Marina Pointe Drive Marina Del Rey, CA 90292 +1 (310) 343-2000 (cell)
Attachment:
WithPn.pcap
Description:
Attachment:
WithoutPn.pcap
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Windows 7 Christian Savalas (Feb 04)
- Re: Windows 7 Rob Nicholls (Feb 04)
- Message not available
- Re: Windows 7 Christian Savalas (Feb 04)
- Message not available
- Message not available
- Message not available
- Re: Windows 7 Christian Savalas (Feb 04)
- RE: Windows 7 Rob Nicholls (Feb 04)
- Re: Windows 7 Christian Savalas (Feb 04)
- RE: Windows 7 Rob Nicholls (Feb 04)
- Re: Windows 7 Christian Savalas (Feb 04)
- Re: Windows 7 Christian Savalas (Feb 04)
- RE: Windows 7 Rob Nicholls (Feb 04)
- Re: Windows 7 David Fifield (Feb 09)
- Re: Windows 7 Christian Savalas (Feb 10)
- Re: Windows 7 David Fifield (Feb 10)
- Re: Windows 7 Rob Nicholls (Feb 04)