Nmap Development mailing list archives

Re: Nmap does not perform reliable scans on Solaris 11

From: Giovanni Schmid <giovanni.schmid () na icar cnr it>
Date: Tue, 31 May 2011 09:44:22 +0200

 Il 21/05/11 20:57, David Fifield ha scritto:

On Sat, May 21, 2011 at 08:33:57PM +0200, Giovanni Schmid wrote:

On Mon, May 16, 2011 at 08:46:06PM +0200, Giovanni Schmid wrote:

  Hi,

I tested Nmap 5.21 on Oracle Solaris 11 and found that it only
apparently works. Actually, many different scan sessions (with
different options and  targets) got wrong results. For ex., the
following scan is related to a host with 22/tcp (SSH) and  111/tcp
(rpcbind) open; however the two services are not detected. Morever,
turning off the -PN  option results in an host apparently blocking up
ping probes. This is not the case, instead.

# nmap -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:13 CEST
Note: Host seems down. If it is really up, but blocking our ping probes,
try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.60 seconds

# nmap -PN -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:14 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered
Too many fingerprints match this host to give specific OS details

TRACEROUTE (using proto 1/icmp)
HOP RTT    ADDRESS
1   ... 30

# nmap -PN -sS 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:34 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.16 seconds

Thank you for reporting this. We need some more information from you. Do
the wrong results happen every time, or only sometimes? Is it only this
IP address that has the problem, or other LAN addresses, or all
addresses?

Hi David.

The wrong results happen every time, and for different hosts in the same
LAN. There were no firewalls among the targets and the scanning host.
Moreover, I compared the results for the above targets against another
scanning host running Nmap 4.x on Linux in the same LAN, and in this
case the results were correct.

It looks like you are getting no reponses at all from the target. Is
there a firewall or something similar in the way? What output do you see
when you run the command
        ssh -v 172.16.3.42

At  this moment I cannot run the above command, since I am at home and
172.16.3.42 in not reachable through the Internet. However 172.16.3.42
is a Solaris 11 box too, and its sshd should be

Sun_SSH_1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090801f

or above.

I didn't mean to ask for the SSH version number; it's just that I would
be surprised if ssh works at all if Nmap can get no responses.

Can you try the scan again, this time with --unprivileged?

David Fifield

Hi David,

sorry for my delay in performing the test .... time is miser for methese days :-(


Well, using the option  --unprivileged things simply work:

solaris# nmap --unprivileged 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:09 CEST
Nmap scan report for 172.16.3.42
Host is up (0.00044s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
111/tcp  open     rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip

Nmap done: 1 IP address (1 host up) scanned in 35.68 seconds

Something wrong with Solaris privileges ?

I have to say that the target  and the nmap hosts are on different private
networks managed through a Cisco ASA security appliance. The nmap hosts

(a Solaris and a Linux boxes) are on a network with an higher securitylabel thanthe target's network, so connections from the nmap hosts to the targetare allowedby default. However, ICMP is disabled on the target's network, sopinging the target

results in no answer.

Without the --unprivileged flag the Solaris box behaves as follows:

solaris# nmap -sS 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:01 CEST

Note: Host seems down. If it is really up, but blocking our ping probes,try -PN

Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

solaris# nmap -sS -PN 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-31 09:02 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.16 seconds

Conversely, the Linux box performs a correct scan with flag -sS
(I suppose differences for 2000/tcp are due to different nmap versions):

solaris# nmap -sS 172.16.3.42

Starting Nmap 4.76 ( http://nmap.org/ ) at 2011-05-31 08:54 CEST
Interesting ports on 172.16.3.42:
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
111/tcp  open     rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip

Nmap done: 1 IP address (1 host up) scanned in 28.61 seconds


I hope this can help

sincerely,

Giovanni Schmid

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 16)
- Re: Nmap does not perform reliable scans on Solaris 11 David Fifield (May 21)
  - Message not available
    - Re: Nmap does not perform reliable scans on Solaris 11 David Fifield (May 21)
    - Re: Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 21)
    - Re: Nmap does not perform reliable scans on Solaris 11 Giovanni Schmid (May 31)
    - Re: Nmap does not perform reliable scans on Solaris 11 Darren Reed (May 31)