Penetration Testing mailing list archives
Re: Weird Nmap Behavior
From: yaroslav <ambivalenced () gmail com>
Date: Tue, 6 Oct 2009 12:26:51 +0400
Hi arvind. from little research with tcpdump and nmap 4.85 it seems like standart nmap behaviour, I think, taking into account that -PN switch was specified. this is the cause that nmap threat all hosts alive _except_ LAN. When you're scanning host in the LAN, firstly ARP request issued to obtain ethernet-address of host in question. and if it fails - host marked as down. In case of WAN you can not get any ARP responces, thereby you (well...nmap) has nothing more than assume host alive. to deal with this, read nmap man page, section "HOST DISCOVERY". there are some advices to deal with different situations, some may be applicable to you. On Mon, Oct 5, 2009 at 9:38 PM, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
Hey Pplz, I wanted to check if any of you guys have come across this behavior. We routinely scan large networks using Nmap - so we thought we'd use it to also try and discover what IP's were live. Now note that this discussion covers hosts on the Internet and not on the LAN. So while testing out Nmap 4.76/5.00 we scanned one of our own IP ranges to check if it detected what was up and what was down. Now note that we know for a fact that out of the 16 IP's we scanned not all were live. So we did expect atleast some to be down. But strangely Nmap said that all 16 IP's were "up". Sure all ports were filtered - but the IP's were up. We're running SYN scans with a -PN switch as well and am quite sure it wasn't our firewall doing this - because we weren't doing any blocking as such( 3 IP's were live - ping). Now I'm a little confused - Firstly ofcourse an IP can be live while having say 65535 ports filtered coz its behind a firewall. Which then brings me to the next 2 questions: --- If every port is filtered and ping is blocked(Internet) how does Nmap decide that a host is up? --- How would you explain behavior like the above where I know for a fact an IP hasn't been assigned to a server/device/anything? Lastly if I want to test known "down" IP's are there any such IP's? Not misspelt domain names as of now - just test "down" IP addresses. Finally if this behavior for Nmap is how it is and can't be changed(due to whatever stack dependencies etc , just shooting in the air here) isn't this giving in accurate results? What is a workaround? Thnx Arvind ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)