Nmap Development mailing list archives
Re: Nmap does not perform reliable scans on Solaris 11
From: Giovanni Schmid <giovanni.schmid () na icar cnr it>
Date: Tue, 31 May 2011 09:44:22 +0200
Il 21/05/11 20:57, David Fifield ha scritto:
On Sat, May 21, 2011 at 08:33:57PM +0200, Giovanni Schmid wrote:On Mon, May 16, 2011 at 08:46:06PM +0200, Giovanni Schmid wrote:Hi, I tested Nmap 5.21 on Oracle Solaris 11 and found that it only apparently works. Actually, many different scan sessions (with different options and targets) got wrong results. For ex., the following scan is related to a host with 22/tcp (SSH) and 111/tcp (rpcbind) open; however the two services are not detected. Morever, turning off the -PN option results in an host apparently blocking up ping probes. This is not the case, instead. # nmap -A 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:13 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 3.60 seconds # nmap -PN -A 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:14 CEST Nmap scan report for 172.16.3.42 Host is up. All 1000 scanned ports on 172.16.3.42 are filtered Too many fingerprints match this host to give specific OS details TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 ... 30 # nmap -PN -sS 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:34 CEST Nmap scan report for 172.16.3.42 Host is up. All 1000 scanned ports on 172.16.3.42 are filtered Nmap done: 1 IP address (1 host up) scanned in 201.16 secondsThank you for reporting this. We need some more information from you. Do the wrong results happen every time, or only sometimes? Is it only this IP address that has the problem, or other LAN addresses, or all addresses?Hi David. The wrong results happen every time, and for different hosts in the same LAN. There were no firewalls among the targets and the scanning host. Moreover, I compared the results for the above targets against another scanning host running Nmap 4.x on Linux in the same LAN, and in this case the results were correct.It looks like you are getting no reponses at all from the target. Is there a firewall or something similar in the way? What output do you see when you run the command ssh -v 172.16.3.42At this moment I cannot run the above command, since I am at home and 172.16.3.42 in not reachable through the Internet. However 172.16.3.42 is a Solaris 11 box too, and its sshd should be Sun_SSH_1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090801f or above.I didn't mean to ask for the SSH version number; it's just that I would be surprised if ssh works at all if Nmap can get no responses. Can you try the scan again, this time with --unprivileged? David Fifield
Hi David,sorry for my delay in performing the test .... time is miser for me these days :-(
Well, using the option --unprivileged things simply work: solaris# nmap --unprivileged 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:09 CEST Nmap scan report for 172.16.3.42 Host is up (0.00044s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 1720/tcp filtered H.323/Q.931 2000/tcp filtered cisco-sccp 5060/tcp filtered sip Nmap done: 1 IP address (1 host up) scanned in 35.68 seconds Something wrong with Solaris privileges ? I have to say that the target and the nmap hosts are on different private networks managed through a Cisco ASA security appliance. The nmap hosts(a Solaris and a Linux boxes) are on a network with an higher security label than the target's network, so connections from the nmap hosts to the target are allowed by default. However, ICMP is disabled on the target's network, so pinging the target
results in no answer. Without the --unprivileged flag the Solaris box behaves as follows: solaris# nmap -sS 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:01 CESTNote: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds solaris# nmap -sS -PN 172.16.3.42 Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:02 CEST Nmap scan report for 172.16.3.42 Host is up. All 1000 scanned ports on 172.16.3.42 are filtered Nmap done: 1 IP address (1 host up) scanned in 201.16 seconds Conversely, the Linux box performs a correct scan with flag -sS (I suppose differences for 2000/tcp are due to different nmap versions): solaris# nmap -sS 172.16.3.42 Starting Nmap 4.76 ( http://nmap.org/ ) at 2011-05-31 08:54 CEST Interesting ports on 172.16.3.42: Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 1720/tcp filtered H.323/Q.931 2000/tcp filtered cisco-sccp 5060/tcp filtered sip Nmap done: 1 IP address (1 host up) scanned in 28.61 seconds I hope this can help sincerely, Giovanni Schmid _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 16)
- Re: Nmap does not perform reliable scans on Solaris 11 David Fifield (May 21)
- Message not available
- Re: Nmap does not perform reliable scans on Solaris 11 David Fifield (May 21)
- Re: Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 21)
- Re: Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 31)
- Re: Nmap does not perform reliable scans on Solaris 11 Darren Reed (May 31)
- Message not available
- Re: Nmap does not perform reliable scans on Solaris 11 David Fifield (May 21)