Nmap Development mailing list archives
Re: Bug report? Windows version 4.71
From: David Fifield <david () bamsoftware com>
Date: Tue, 7 Oct 2008 08:25:08 -0600
On Tue, Oct 07, 2008 at 09:54:35AM +0200, Ronald Luten wrote:
When I use -sP to ping a C-class subnet, every host appears to be up, when in reality only 10 should be up. I've seen on the mailing list that this has been reported before, for other versions. I've used -vvv -d --packet-trace to get debug info. Maybe someone on the list knows why it is doing this. The host in the example (and the C-class) are behind a firewall, which is just routing. So it there's a rule in there that permits ANY from my PC to the C-class. The firewall is new (since last week), and before then nmap didn't show this behavior, so most likely the firewall is somehow involved. Initiating Ping Scan at 09:41 Scanning 192.168.112.188 [2 ports] Packet capture filter (device eth0): dst host 172.20.155.89 and (icmp or ((tcp or udp) and (src host 192.168.112.188))) SENT (0.2340s) TCP 172.20.155.89:50443 > 192.168.112.188:80 A ttl=48 id=9139 iplen=40 seq=4059576939 win=1024 ack=4084382708 RCVD (0.2340s) TCP 192.168.112.188:80 > 172.20.155.89:50443 R ttl=64 id=61996 iplen=40 seq=4084382708 win=0 We got a TCP ping packet back from 192.168.112.188 port 80 (trynum = 0) Completed Ping Scan at 09:41, 0.11s elapsed (1 total hosts)
The firewall is spoofing RST packets in response to the ACK ping probes sent by Nmap. It's doing it without regard to the destination of the ACK probe, so every host appears to be up. Try running with the -PS -PE host discovery options instead. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Bug report? Windows version 4.71 Ronald Luten (Oct 07)
- Re: Bug report? Windows version 4.71 David Fifield (Oct 07)