Penetration Testing mailing list archives
Re: Weird Nmap Behavior
From: Tim <tim-pentest () sentinelchicken org>
Date: Tue, 6 Oct 2009 08:17:20 -0700
Now note that we know for a fact that out of the 16 IP's we scanned not all were live. So we did expect atleast some to be down. But strangely Nmap said that all 16 IP's were "up". Sure all ports were filtered - but the IP's were up. We're running SYN scans with a -PN switch as well and am quite sure it wasn't our firewall doing this - because we weren't doing any blocking as such( 3 IP's were live - ping).
By using '-PN' you are explicitly telling nmap that every host is alive so don't ping it. It's just giving you back what you told it. A better approach to determine what hosts are alive is to use an '-sP' scan with complex -P options (which can include UDP and TCP probes on multiple ports as well as different ICMP queries and a whole host of other things). Then if any of those probes comes back, nmap will treat it as alive. tim ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)