Nmap Development mailing list archives
Re: bug or host evasive action?
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Apr 2012 23:51:13 -0500
I'd be willing to bet that if you either ran Nmap as root or used a slower timing (e.g. -T2), you'd be able to detect it. As an embedded system, the router probably is running a single-threaded HTTP server, and when Nmap performs a connection on port 80 to do host detection (the default when running unprivileged), the server still considers that connection open for a while afterwards, and so ignores the second probe from the port scan phase. Scanning the whole network puts a small delay between the phases as Nmap finishes scanning the rest of the network, so the server has a chance to "reset" the socket. Dan On Thu, Apr 19, 2012 at 11:22 PM, Britton Kerin <britton.kerin () gmail com> wrote:
Hi guys, I guess any weirdness you see as a result of scans could be hosts taking evasive action or something, but this strikes me as weird. When I skip host detection, the http server on one of the Linksys wireless routers gets found, but not if I don't: $ nmap -Pn 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:19 AKDT Nmap scan report for 192.168.1.1 Host is up (0.0061s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds $ nmap 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:19 AKDT Nmap scan report for 192.168.1.1 Host is up (0.012s latency). All 1000 scanned ports on 192.168.1.1 are closed Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds Scanning the entire network also finds the http port: $ nmap 192.168.1.0/24 Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:02 AKDT Nmap scan report for 192.168.1.1 Host is up (0.0044s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http Nmap scan report for 192.168.1.25 Host is up (0.029s latency). Not shown: 995 closed ports [snip other hosts] Is the router maybe hiding because it just got discovered or something, or could this be some sort of nmap bug? Thanks, Britton Kerin _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- bug or host evasive action? Britton Kerin (Apr 19)
- Re: bug or host evasive action? Daniel Miller (Apr 19)