Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap port scanning problem

From: Алексей Буденчук <buav () altx-soft ru>
Date: Tue, 24 Dec 2013 12:59:23 +0400 (MSK)
Good afternoon!

I found a strange bug while scanning machines in my company's local network. I ran Nmap (latest version, 6.40) on 
Windows 8.1 trying to find opened ports on 8 other machines in my network (which run Centos, Red Hat, Debian and 
Ubuntu). All of the scanned machines had guaranteed 22 port (ssh) opened. The command sent to Nmap is:
nmap -T4 -A -v -oX - 10.0.0.210 10.0.0.211 10.0.0.212 10.0.0.213 10.0.0.214 10.0.0.215 10.0.0.216 10.0.0.217

As a result Nmap found opened ports only on 2 first machines (10.0.0.210 and 10.0.0.211) and detected all the others as 
in state="down" (full nmap response is attached to the letter). At the same time, when I tried to scan any of this 
machines separately, Nmap finds opened port 22 (ssh) on each of them. This behavior is quite confusing for me and I 
can't find any apparent reason for it. 

Analyzing the Nmap response, I found out that hosts were marked as down during the "ARP Ping Scan". Searching for the 
solution in the Internet, I found information about a special parameter: -disable-arp-scan. This parameter isn't 
mentioned in the official Nmap documentation on nmap.org, but when I included it in the command string, the scanning 
started immediately from "SYN Stealth Scan" skipping the step "ARP Ping Scan", and opened port 22 was found on all 
machines (10.0.0.210-217)!

The described bug reproduces ONLY under two conditions:
1. Nmap runs on Windows 8.1
2. The number of machines scanned at once is more than 5 (I currently tested on 8)

So, I have two questions:
1. Whether the described behavior can be considered as Nmap bug or may be I'm doing something wrong?
2. Why the parameter -disable-arp-scan isn't described on nmap.org, while it exists and, what's more, resolves my 
problem? Can I rely on it?

Thanks in advance,
Alex Budenchuk.

Attachment: nmap response.txt
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: