Re: nmap -sP -PE -R -v behaves differently with root/un-root

[Marc Ouwerkerk <olderchurch () gmail com>]

-PE and -sP are both used for discovery. -sP has different behavior
for root and non-root users. From the manual:

Ping Scan [-sP]

This scan type lists the hosts within the specified range that
responded to a ping. It allows you to detect which computers are
online, rather than which ports are open. Four methods exist within
Nmap for ping sweeping.

The first method sends an ICMP ECHO REQUEST (ping request) packet to
the destination system. If an ICMP ECHO REPLY is received, the system
is up, and ICMP packets are not blocked. If there is no response to
the ICMP ping, Nmap will try a "TCP Ping", to determine whether ICMP
is blocked, or if the host is really not online.

A TCP Ping sends either a SYN or an ACK packet to any port (80 is the
default) on the remote system. If RST, or a SYN/ACK, is returned, then
the remote system is online. If the remote system does not respond,
either it is offline, or the chosen port is filtered, and thus not
responding to anything.

When you run an Nmap ping scan as root, the default is to use the ICMP
and ACK methods. Non-root users will use the connect() method, which
attempts to connect to a machine, waiting for a response, and tearing
down the connection as soon as it has been established (similar to the
SYN/ACK method for root users, but this one establishes a full TCP
connection!)

The ICMP scan type can be disabled by setting -P0 (that is, zero, not
uppercase o).

On Fri, Aug 5, 2011 at 5:41 AM, John Hunter <johnny.h.hunter () gmail com> wrote:
> I was running the command
>
> nmap -sP -PE -R -v microsoft.com ebay.com yahoo.com \
> > google.com slashdot.org
>
> it behaves differently when I was a root user and a non-root user.
> ironically that when I was a non-root, the result is more accurate.
>
> when I was a non-root:
>
> john@virtual-evolution:~$ nmap -sP -PE -R -v microsoft.com ebay.com yahoo.com \
> > google.com slashdot.org
>
> ....
> Host 207.46.232.182 is up (0.014s latency).
> Host pages.ebay.com (66.211.160.87) is up (0.086s latency).
> Host ir1.fp.vip.ac4.yahoo.com (67.195.160.76) is up (0.016s latency).
> Host vw-in-f147.1e100.net (74.125.113.147) is up (0.028s latency).
> Host slashdot.org (216.34.181.45) is up (0.038s latency).
> Nmap done: 5 IP addresses (5 hosts up) scanned in 13.36 seconds
>
>
> when i was a root:
>
> root@virtual-evolution:~# nmap -sP -PE -R -v microsoft.com ebay.com
> yahoo.com google.com slashdot.org
>
> ....
>
> Host 207.46.197.32 is down.
> Host pages.ebay.com (66.135.205.14) is down.
> Host ir1.fp.vip.mud.yahoo.com (209.191.122.70) is down.
> Host vw-in-f106.1e100.net (74.125.113.106) is down.
> Host slashdot.org (216.34.181.45) is up (0.044s latency).
> Nmap done: 5 IP addresses (1 host up) scanned in 14.26 seconds
>            Raw packets sent: 10 (280B) | Rcvd: 6 (168B)
>
>
> Why is that?
>
> Thanks!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------