Nmap Development mailing list archives
Re: Host Discovery and RST Packets
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 4 Dec 2015 16:01:30 -0600
Joe, Nmap has lots of options for doing host discovery. With a little experimentation, you can probably find some probe that avoids being intercepted. Likely options are -PA (unsolicited ACK) and -PU (UDP), especially in combination with -PE (ICMP Echo request) and -PP (ICMP Timestamp request). Try each alone to a known-bad address and use all the ones that do not list that address as "up" Alternatively, you could do a manual filtering step between host discovery and port scan phases. Use the -sn option to turn off port scanning (and leave off -A, -O, --script, and other -s* options) and save XML output with -oX or -oA. Then use an XML parser to extract the //host/status/@reason_ttl attribute for each host (you could probably also collect any @reason != "syn-ack"). More than likely, the firewall sending spoofed replies will be distinguishable from the real replies because the packets originated closer to you, so they will arrive with a higher TTL. So if you have a ton with @reason_ttl == "53" and a few with 52 or lower, then extract the addresses of the ones with a lower TTL. These are your real targets. Then use the -iL option to input the target list from a file when you do your port scan phase. Don't forget to add -Pn to skip the already-accomplished host discovery. Dan On Fri, Dec 4, 2015 at 12:56 PM, jmk <jmk () foofus net> wrote:
Hi, I’m using Nexpose to scan a highly segmented internal network. Nexpose calls Nmap to handle host discovery and is finding thousands of assets that don’t really exist. It looks like there is an intermediate device between the target subnets and my scanner that is sending a RST,ACK for every SYN to a non-existent host. Unfortunately, Nmap flags this as the target host being up. Is there a way with Nmap to force it to only report a host being up if it either receives a SYN,ACK and/or ICMP reply? I should note that some network segments block ICMP, so I can’t rely on that alone for asset discovery. Thanks, Joe _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Host Discovery and RST Packets jmk (Dec 04)
- Re: Host Discovery and RST Packets Daniel Miller (Dec 04)
- RE: Host Discovery and RST Packets jmk (Dec 07)
- Re: Host Discovery and RST Packets Daniel Miller (Dec 04)