Re: Odd scanning error

["Kevin Nault" <prof.morbius () gmail com>]

I've actually run this down since, but didn't want to fire off another
message to the group address for fear of causing confusion.

The culprit is our Meru 802.11 WAPs; I don't know if that MAC is the MAC of
the WAP(s) -- I haven't followed through that far -- but it only happens in
the office with those WAPs and only while connected to wireless.  It does
still happen if I'm connected to both wired and wireless -- apparently
either nmap or WinXP prefers the wifi.

Thank you for the response, and let me know if there's anything further I
can provide (like command output).

On Sun, Oct 19, 2008 at 7:03 PM, David Fifield <david () bamsoftware com>wrote:

> On Wed, Oct 01, 2008 at 10:19:08AM -0600, Kevin Nault wrote:
> > I am using nmap version 4.76 on Windows XP (SP 3, fully up-to-date as of
> 30
> > Sept '08) on an HP/Compaq nx8230 laptop with a Broadcom 5700-series
> Ethernet
> > NIC and an Intel 2200BG wifi NIC.
> >
> > Any network scan I do returns every address (empty or full) as having a
> > Lanner Electronics ethernet card with a MAC address of 00:90:0B:0D:72:6F
> --
> > whether the device exists or not, responds or not, and regardless of what
> > NIC and MAC the device actually has.  Every address (whether a device
> exists
> > there or not) is also reported as having TCP port 1720 (H.323/Q.931)
> > open|filtered.  If I don't include 1720 in the TCP port list, all ports
> > report as "filtered".  Devices which do exist report their port lists
> > accurately, though 1720 will be added to the list if it is scanned for.
> >
> > I have a custom-built computer physically next to this one, plugged into
> the
> > next port on the same switch, with the same OS, running nmap 4.20 that
> does
> > not do this -- MAC addresses, the absense of devices, and the state of
> port
> > 1720 are reported accurately.
> >
> > The only IDS/IPS device on this network is a SonicWall firewall running
> > current software, but its MAC is 00:06:B1:XX:XX:XX (different last three
> > bytes from the Lanner address above).
> >
> > I love nmap and use it at least weekly.  Help?
>
> This is indeed a strange error. Can you send me or Fyodor a scan log
> using the options -d3 --packet-trace?
>
> Does it happen with both the wired and wireless NICs, or nust one of
> them?
>
> With TCP scans, the open|filtered state is usually only possible with
> FIN, NULL, and Xmas scans. Getting it with a SYN scan would point to a
> bug in Nmap.
>
> My best guess is that there's some software on the Windows XP machine
> causing this. You could try uninstalling Nmap, then reinstalling version
> 4.20 from http://nmap.org/dist-old/nmap-4.20-setup.exe. Another thing,
> which you shouldn't bother doing unless you have a live CD handy, is to
> boot the XP machine with a GNU/Linux live CD and try running Nmap under
> that. If it doesn't give the strange behavior then it points to a
> problem with the XP setup.
>
> David Fifield



-- 
Religion, or the duty which we owe our Creator, and the manner of
discharging it, can be directed only by reason and conviction, not by force
and violence; and therefore all men are equally entitled to the free
exercise of religion, according to the dictates of conscience.
 -- James Madison

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org