Re: Windows 7

[Christian Savalas <csavalas () gmail com>]

Hi again,

It's really ironic that after a year of tooling with this I would
discover new information a few minutes after finally sendig you guys a
message! After I hit send, I realized I hadn't tried it on a wired
ethernet connection for two revisions. Lo and Behold, it works...
Cool! And on the wireless side, I discovered that the addition of the
-sT switch with -Pn does indeed produce the expected results, but I
may as well use Superscanner for that ;)

I should have mentioned in my first message that all other Windows net
tools like ping, tracert work just fine on any address, using the
wireless interface. And I have indeed visited scanme.nmap.org with a
browser.

What's odd is that nmap works fully with ethernet, only partially
(tcpip.sys style -sT) with wireless. Does this point to the winpcap
library? I would think so, but then again, Wireshark appears to
capture packets.

I got excited about your suggestion to specify the interface
explicitly, but then I remembered what I discovered about the scan
working with the -sT switch, with no explicit selection of interface.
Needless to say, I did try it, with no different results.

The command:

"nmap -d -Pn -e eth16 scanme.nmap.org"

yields the resulting output:

---------------------------------
---------------------------------

Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008)



Starting Nmap 5.50 ( http://nmap.org ) at 2011-02-04 11:50 Pacific Standard Time

PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)

--------------- Timing report ---------------

 hostgroups: min 1, max 100000

 rtt-timeouts: init 1000, min 100, max 10000

 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

 parallelism: min 0, max 0

 max-retries: 10, host-timeout: 0

 min-rate: 0, max-rate: 0

---------------------------------------------

mass_rdns: Using DNS server 192.168.1.1

mass_rdns: Using DNS server 192.168.1.1

mass_rdns: Using DNS server 192.168.1.1

Initiating Parallel DNS resolution of 1 host. at 11:50

mass_rdns: 0.02s 0/1 [#: 3, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

Completed Parallel DNS resolution of 1 host. at 11:50, 0.01s elapsed

DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 3, OK: 1, NX: 0,
DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 11:50

Scanning scanme.nmap.org (64.13.134.52) [1000 ports]

Packet capture filter (device eth16): dst host 192.168.1.133 and (icmp
or ((tcp or udp or sctp) and (src host 64.13.134.52)))

SYN Stealth Scan Timing: About 14.50% done; ETC: 11:53 (0:03:03 remaining)

SYN Stealth Scan Timing: About 29.50% done; ETC: 11:53 (0:02:26 remaining)


"
"


Completed SYN Stealth Scan at 11:53, 203.00s elapsed (1000 total ports)

Overall sending rates: 9.85 packets / s, 433.50 bytes / s.

Nmap scan report for scanme.nmap.org (64.13.134.52)

Host is up, received user-set.

All 1000 scanned ports on scanme.nmap.org (64.13.134.52) are filtered
because of 1000 no-responses



Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.

Nmap done: 1 IP address (1 host up) scanned in 203.38 seconds

          Raw packets sent: 2000 (88.000KB) | Rcvd: 0 (0B)

---------------------------------
---------------------------------




As you can see, the host is declared up, with no open ports. And now
with -Pn removed from the command (nmap -d -e eth16 scanme.nmap.org),
I am left with this:



---------------------------------
---------------------------------

Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008)



Starting Nmap 5.50 ( http://nmap.org ) at 2011-02-04 11:56 Pacific Standard Time

PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)

--------------- Timing report ---------------

 hostgroups: min 1, max 100000

 rtt-timeouts: init 1000, min 100, max 10000

 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

 parallelism: min 0, max 0

 max-retries: 10, host-timeout: 0

 min-rate: 0, max-rate: 0

---------------------------------------------

Initiating Ping Scan at 11:56

Scanning scanme.nmap.org (64.13.134.52) [4 ports]

Packet capture filter (device eth16): dst host 192.168.1.133 and (icmp
or ((tcp or udp or sctp) and (src host 64.13.134.52)))

Completed Ping Scan at 11:56, 4.39s elapsed (1 total hosts)

Overall sending rates: 1.82 packets / s, 69.28 bytes / s.

mass_rdns: Using DNS server 192.168.1.1

mass_rdns: Using DNS server 192.168.1.1

mass_rdns: Using DNS server 192.168.1.1

Nmap scan report for scanme.nmap.org (64.13.134.52) [host down,
received no-response]

Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 4.75 seconds

          Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

---------------------------------
---------------------------------


So strange, because the output seems to have resolved the domain to
the ip 64.13.134.52, and, beyond that, "ping" works from the command
prompt.

Lastly, I have tried capturing packets with Wireshark while running
the scan with AND without -Pn, but I am by no means an expert on
packet analysing. I attached the two logs for you, just in case it
would help. From my untrained eye, I honestly don't see any NMap
traffic.

I sincerely appreciate you getting back to me so soon, and I hope to
hear from you with good news!

All the best,

Christo

On Fri, Feb 4, 2011 at 1:58 AM, Rob Nicholls <robert () robnicholls co uk> wrote:
> Hi Christo
>
> On Fri, 4 Feb 2011 01:01:18 -0800, Christian Savalas wrote:
> > Despite this, regardless of which address I scan, (even
> > scanme.nmap.org) I am told that 0  hosts are up.
>
> If you add -Pn to the Nmap commands you're running, Nmap will assume the
> host is up and should attempt to scan the host.
>
> Are you able to use Windows' built in "ping" utility to ping a remote host
> over the internet? e.g.
>
> > ping scanme.nmap.org
>
> Pinging scanme.nmap.org [64.13.134.52] with 32 bytes of data:
> Reply from 64.13.134.52: bytes=32 time=145ms TTL=50
> Reply from 64.13.134.52: bytes=32 time=145ms TTL=50
> Reply from 64.13.134.52: bytes=32 time=145ms TTL=50
> Reply from 64.13.134.52: bytes=32 time=145ms TTL=50
>
> This is one of the checks that Nmap tries to determine if a host is up. If
> you don't get a response then it's possible that your ISP is filtering ICMP
> traffic.
>
> Are you able to view http://scanme.nmap.org using your browser? You should
> get a white page with a message from Fyodor in black text. If you can see
> this, then you can access port 80/TCP. This is another port that Nmap will
> try in order to determine whether a host is up. If you can't see the web
> page then something bad is happening.
>
> Have you tried running Wireshark at the same time as an Nmap scan? This
> would let you see if packets are sent from or returned to your host. I'd be
> surprised if Nmap is failing to identify the returned packets, but this
> might happen if you have teamed NICs, for example.
>
> If you add -d to the Nmap command you'll see some debug information,
> including a line like:
>
> Packet capture filter (device eth7): dst host xx.xx.xx.xx and (icmp or ((tcp
> or udp or sctp) and (src host xx.xx.xx.xx)))
>
> If you run "nmap --iflist" you should see a list of interfaces (and routes).
> It's possible that the correct NIC isn't picked up by Nmap and it's trying
> to send packets over the wrong interface (and getting nothing back). You can
> use -e to state the correct interface to use, e.g.
>
> > nmap scanme.nmap.org -e eth7
>
> Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-02-04 09:57 GMT Standard
> Time
> Nmap scan report for scanme.nmap.org (64.13.134.52)
> Host is up (0.15s latency).
> Not shown: 993 filtered ports
> PORT      STATE  SERVICE
> 22/tcp    open   ssh
> 25/tcp    closed smtp
> 53/tcp    open   domain
> 70/tcp    closed gopher
> 80/tcp    open   http
> 113/tcp   closed auth
> 31337/tcp closed Elite
>
> Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
>
>
> Rob



--
Christian Savalas
Marina Pointe Tech Support
13600 Marina Pointe Drive
Marina Del Rey, CA 90292
+1 (310) 343-2000 (cell)



-- 
Christian Savalas
Marina Pointe Tech Support
13600 Marina Pointe Drive
Marina Del Rey, CA 90292
+1 (310) 343-2000 (cell)

Attachment: WithPn.pcap
Description:

Attachment: WithoutPn.pcap
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/