Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Target host got nmap "down" but ping is ok

From: David Fifield <david () bamsoftware com>
Date: Thu, 30 Oct 2008 17:07:43 -0600
On Tue, Oct 21, 2008 at 09:58:30AM +0800, Ji Xu (jix2) wrote:

On Mon, Oct 20, 2008 at 4:56 AM, Ji Xu (jix2) <jix2 () cisco com> wrote:

I'm using nmap for security test and I have one question here. My target
host is 10.190.1.8 and attacker is 10.190.1.3, on attacker host I enter
"nmap -v -sP 10.190.1.3/28", it returns that 10.190.1.8 is down, but
when ping on the same host, it's reachable. So could anyone tell me
where the problem is?

-bash-3.00# nmap -v -sP 10.190.1.3/28

Starting Nmap 4.68 ( http://nmap.org ) at 2008-10-20 16:34 CST
Warning: File ./nmap-services exists, but Nmap is using
/opt/security/share/nmap/nmap-services for security and consistency
reasons.  set NMAPDIR=. to give priority to files in your local
directory (may affect the other data files too).
Initiating ARP Ping Scan at 16:34
Scanning 3 hosts [1 port/host]
Completed ARP Ping Scan at 16:34, 0.21s elapsed (3 total hosts)
Host 10.190.1.0 appears to be down.
Host 10.190.1.1 appears to be down.
Host 10.190.1.2 appears to be down.
Initiating Parallel DNS resolution of 1 host. at 16:34
Completed Parallel DNS resolution of 1 host. at 16:34, 0.15s elapsed
Host 10.190.1.3 appears to be up.
Initiating ARP Ping Scan at 16:34
Scanning 12 hosts [1 port/host]
Completed ARP Ping Scan at 16:34, 0.41s elapsed (12 total hosts)
Host 10.190.1.4 appears to be down.
Host 10.190.1.5 appears to be down.
Host 10.190.1.6 appears to be down.
Host 10.190.1.7 appears to be down.
Host 10.190.1.8 appears to be down.
Host 10.190.1.9 appears to be down.
Host 10.190.1.10 appears to be down.
Host 10.190.1.11 appears to be down.
Host 10.190.1.12 appears to be down.
Host 10.190.1.13 appears to be down.
Host 10.190.1.14 appears to be down.
Host 10.190.1.15 appears to be down.
Read data files from: /opt/security/share/nmap
Nmap done: 16 IP addresses (1 host up) scanned in 0.818 seconds
          Raw packets sent: 30 (1260B) | Rcvd: 0 (0B)
-bash-3.00# ping 10.190.1.8
PING 10.190.1.8 (10.190.1.8) 56(84) bytes of data.
64 bytes from 10.190.1.8: icmp_seq=0 ttl=126 time=0.413 ms
64 bytes from 10.190.1.8: icmp_seq=1 ttl=126 time=0.312 ms
64 bytes from 10.190.1.8: icmp_seq=2 ttl=126 time=0.320 ms


Could you run the following commands:

nmap -sP -n -d3 --packet-trace 10.190.1.3/28
nmap -sP --send-ip -n -d3 --packet-trace 10.190.1.3/28

And send the output? This will help diagnose the problem.

Cheers,
Michael Pattrick


Thanks for your prompt response. I have got the logs and attached.

In addition, in order to scan the tcp port on 10.190.1.8, I have to
add option -PN, otherwise the scan will fail, I think there are caused
by same issue.


Thanks for the logs. According to them, neither ARP ping scan nor
ACK/echo ping scan (--send-ip) found any hosts up. That's strange,
because -sP --send-ip sends the same kind of probes that the ping
command sends. The only thing I can think of is that perhaps Nmap is
sending on the wrong interface.

I see from the logs that Nmap is sending on eth1. Does that sound right?
What is the output of
        nmap --iflist
Do you have any way of telling what interface the ping command is
sending on (like with a packet capture program)?

You said: "I have to add option -PN, otherwise the scan will fail." Does
that mean that the scan succeeds when you use -PN? You get the right
port output and everything? That would be interesting.

If 10.190.1.8 has an open port, try running
        nmap -sP -PS<port> 10.190.1.8
Try the other -P options listed at http://nmap.org/book/man-host-discovery.html;
if any of them work please let us know.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: