Penetration Testing mailing list archives
RE: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"
From: Scott Stephenson <SStephenson () lrn com>
Date: Tue, 23 Nov 2004 11:02:37 -0800
The test for live hosts defaults to using ICMP with TCP. One of them is giving the false reading, and likely the ICMP. You can use -PT to only use TCP (if ICMP is the problem) or -PE (if TCP is the problem). -P0 should work, but will take a long time. Limiting to a particular port will help, but makes the effort much more manual to ensure everything gets discovered. -----Original Message----- From: Steve A [mailto:pen.test.mail () logicallysecure org] Sent: Monday, November 22, 2004 2:33 PM To: pen-test () securityfocus com Subject: FW: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)" I have seen many different switches and ports offering ghost ports and host IPs to the likes of NMAP before, 3COM and Linksys are very common. I think it has to do with the way they handle the request and in an effort to keep the connection alive they reply on behalf of hosts before they contact the host in question. Thus you get an answer for a 'ghost' host. Solution: Try scanning one of the addresses you know to be live and one you know to be dead. A comparison of the results usually reveals the likes of ports 21,53,80,110 as being present on ghost hosts. Further examination will reveal that where these ports are open on real hosts the returned values and banners will be real and not those of the switch, thus you can also deduce which ports are really open on live hosts (as they will have both the ghost ports and their own reported by NMap) The easiest way I have found to work out which ones are real and which are ghosts is to use NMap to sweep the subnet pinging a port your previous test told you the switch does not answer to. Thus if the ghost hosts have ports 80 and 110 open use something like (assuming you are inside the boundary and in the example looking at windows): NMap -v -P0 -p137 x.y.z.1-255 > output_file.txt You can select different ports to look for less and more secure hosts on differing OSs. Steve Armstrong Steve () logicallysecure org Steve Armstrong Steve Armstrong MSc MCSE MBCS CITP OPSA This email and any associated attachments are intended for the above named person(s) and may be confidential. If you have received them in error you must not copy or disclose them to 3rd parties, nor should you take any action based on their contents; the only action you should take is to notify the emails' originator of the error by replying to the sender. This email was scanned upon despatch by Norton AntiVirus. -----Original Message----- From: Erik Myrold [mailto:emyrold () gmail com] Sent: 14 November 2004 03:10 To: pen-test () securityfocus com Subject: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)" I am having an issue with a nmap host discovery scan (nmap -sP x.x.x.x/24) that is responding for 0 through broadcast 255 when there are only 30 hosts on that subnet. At this point I am not sure if it is the router or switch that is responding to the ping sweep. What does this usually mean? There is no NAT and no filtering that I can tell, but this is not my forte'... There are other subnets I can ping sweep with no problems... Thanks!
Current thread:
- nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)" Erik Myrold (Nov 16)
- <Possible follow-ups>
- FW: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)" Steve A (Nov 22)
- RE: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)" Scott Stephenson (Nov 26)