Penetration Testing mailing list archives
Re: Weird Nmap Behavior
From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 06 Oct 2009 02:09:32 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 arvind doraiswamy wrote:
Hey Pplz, I wanted to check if any of you guys have come across this behavior. We routinely scan large networks using Nmap - so we thought we'd use it to also try and discover what IP's were live. Now note that this discussion covers hosts on the Internet and not on the LAN. So while testing out Nmap 4.76/5.00 we scanned one of our own IP ranges to check if it detected what was up and what was down. Now note that we know for a fact that out of the 16 IP's we scanned not all were live. So we did expect atleast some to be down. But strangely Nmap said that all 16 IP's were "up". Sure all ports were filtered - but the IP's were up. We're running SYN scans with a -PN switch as well and am quite sure it wasn't our firewall doing this - because we weren't doing any blocking as such( 3 IP's were live - ping). Now I'm a little confused - Firstly ofcourse an IP can be live while having say 65535 ports filtered coz its behind a firewall. Which then brings me to the next 2 questions: --- If every port is filtered and ping is blocked(Internet) how does Nmap decide that a host is up? --- How would you explain behavior like the above where I know for a fact an IP hasn't been assigned to a server/device/anything? Lastly if I want to test known "down" IP's are there any such IP's? Not misspelt domain names as of now - just test "down" IP addresses. Finally if this behavior for Nmap is how it is and can't be changed(due to whatever stack dependencies etc , just shooting in the air here) isn't this giving in accurate results? What is a workaround? Thnx Arvind
1) From what O/S did you issue the command? 2) What is the exact nmap command used? (x out first 3 octets of address: x.y.z.32-47 for example) 3) You mentioned a firewall... a) Was the system you were scanning from behind a firewall / proxy / etc.? b) Was the systems being scanned behind a firewall / proxy /etc.? c) Both 4) Rerun the command with the '--reason' option specified. That will tell you the exact response received and from where (host IP vs. firewall IP). 5) Were any of the IPs in the range that you scanned either the netblock's network number or broadcast address? Bottom line: nmap reports a host up when it gets any response from the host's IP address, even if it is not the host that is responding. If I had to guess, either your firewall(s) are messing with you, or you are sending traffic to a netnum or bcast address and getting false responses. Hope this helps! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrK3xwACgkQUVxQRc85QlNXZgCdGN+uUaiJ3RiutUPhaPNNI9xz fYoAniyZBxFk/PNpbhWrWQbDuhF1Y/pq =JUDa -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)