Nmap 4.11: False positive ping results

[Vitaly McLain <VMcLain () crowechizek com>]

Just wanted to let you know that we got some interesting false positives
with Nmap during a ping sweep. We used the -sP option (and nothing else) to
ping sweep a client's Class C.

Here is what happened:

1. Nmap 4.03 and Nmap 4.11, under Windows XP SP1 and SP2, reported all 254
hosts as up.
2. Angry IP Scanner reports 2 hosts as being up, even after being made less
angry (slowed down).
3. Nmap 4.10 under Linux (kernel 2.4.25) says 22 hosts are up.

Number #3 (Nmap/Linux) is the only correct answer!

So we scanned yet another Class C the client owns. Nmap/Windows found all
254 to be up, yet again. Angry found 8 (for comparison.) Nmap/Linux found
13 -- once again, this was the right answer.

All boxes are in the DMZ of a PIX, on the same switch. I'd be happy to do
any tests you'd like, though I am not sure if can we give you the IPs to
test.

Vitaly McLain
Risk and Performance Services
Crowe Chizek and Company LLC
Direct  : (630) 575-4346
Mobile: (224) 558-5979


UNDER U.S. TREASURY RULES ISSUED in 2005, we must inform you that any advice in this communication to you was not 
intended or written to be used, and cannot be used, to avoid any government penalties that may be imposed on a taxpayer.

This message may contain privileged or confidential information.  If you are not the intended recipient of this 
message, you may not make any use of, or rely in any way on, this information, and you should destroy this message and 
notify the sender by reply email.  Any opinions or advice contained in this email are subject to the terms and 
conditions in any applicable client engagement letter or service agreement.




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev