Re: Follow up to NMAP on Snow Leopard with VMWARE Fusion installed

[Jay Fink <jay.fink () gmail com>]

Woops I meant to send this email to the list...

On Mon, Sep 21, 2009 at 7:28 AM, Walt Scrivens <walts () gate net> wrote:
> Here's some more info - this time with 5.00.  I did the same scan through
> Zenmap, running natively under Snow Leopard, and running as a Windows 7 VM
> under VMWare Fusion under Snow Leopard.  Same computer, same network.
> I used the "canned" Intense Scan profile in Zenmap from the Windows vm, and
> copy/pasted it into the Mac Zenmap since its version of Intense Scan did not
> include the -PE -PS22,25,80 -PA21,23,80,3389
>
> It looks to me as if the Mac user scan worked correctly, being the same as
> the Windows scan less that which requires root to run.  The Mac root scan
> fails miserably.


I used the exact same scan options on my mac (10.5.7) and a
 checkout of nmap from this morning (r15532) with one host
being freebsd using vmware-fusion nat and another one
nstlinux running on vmware-fusion with bridged networking.
The results were interesting. On the nat'd guest I had the
same results as you- as a regular user I could scan but
as root it thought it was down. On the bridged version it
was *opposite* - off the top of my head I have no idea what
would cause that.

For fun I tried using the macports version I have installed but
it didn't matter as on that version (way out of date: 4.60) it won't
allow said options as a user. As root however, on bridged or nat'd
networking it reported host down.

Note that I do not see this problem on vmware-server guests
running under linux.

Thanks,
 j
> =====================================
> nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:06 Eastern Daylight
> Time
> NSE: Loaded 30 scripts for scanning.
> Initiating Ping Scan at 07:07
> Scanning 192.168.1.1 [8 ports]
> Completed Ping Scan at 07:07, 1.23s elapsed (1 total hosts)
> Initiating Parallel DNS resolution of 1 host. at 07:07
> Completed Parallel DNS resolution of 1 host. at 07:07, 0.01s elapsed
> Initiating SYN Stealth Scan at 07:07
> Scanning 0ur1an (192.168.1.1) [1000 ports]
> Discovered open port 53/tcp on 192.168.1.1
> Discovered open port 23/tcp on 192.168.1.1
> Discovered open port 80/tcp on 192.168.1.1
> Completed SYN Stealth Scan at 07:07, 2.34s elapsed (1000 total ports)
> Initiating Service scan at 07:07
> Scanning 3 services on 0ur1an (192.168.1.1)
> Completed Service scan at 07:08, 74.48s elapsed (3 services on 1 host)
> Initiating OS detection (try #1) against 0ur1an (192.168.1.1)
> Initiating Traceroute at 07:08
> 192.168.1.1: guessing hop distance at 1
> Completed Traceroute at 07:08, 0.03s elapsed
> Initiating Parallel DNS resolution of 3 hosts. at 07:08
> Completed Parallel DNS resolution of 3 hosts. at 07:08, 0.14s elapsed
> NSE: Script scanning 192.168.1.1.
> NSE: Starting runlevel 1 scan
> Initiating NSE at 07:08
> Completed NSE at 07:08, 4.34s elapsed
> NSE: Script Scanning completed.
> Host 0ur1an (192.168.1.1) is up (0.026s latency).
> Interesting ports on 0ur1an (192.168.1.1):
> Not shown: 997 closed ports
> PORT   STATE SERVICE VERSION
> 23/tcp open  telnet  DD-WRT telnetd 23 SP2 std (c) 2006 NewMedia-NET GmbH
> 53/tcp open  domain  dnsmasq 2.33
> 80/tcp open  http?
> |_ html-title: 0ur1an - Info
> Device type: general purpose
> Running: Apple Mac OS X 10.5.X
> OS details: Apple Mac OS X 10.5.5 (Leopard)
> TCP Sequence Prediction: Difficulty=260 (Good luck!)
> IP ID Sequence Generation: Incremental
> Service Info: OS: Linux; Device: WAP
>
> TRACEROUTE (using port 22/tcp)
> HOP RTT   ADDRESS
> 1   16.00 192.168.246.2
> 2   0.00  0ur1an (192.168.1.1)
>
> Read data files from: C:\Program Files\Nmap
> OS and Service detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 104.19 seconds
>           Raw packets sent: 1034 (47.206KB) | Rcvd: 1175 (51.683KB)
> ======================================
>
> Now the Mac version:
> ======================================
> nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:10 EDT
> NSE: Loaded 30 scripts for scanning.
> Initiating ARP Ping Scan at 07:10
> Scanning 192.168.1.1 [1 port]
> Completed ARP Ping Scan at 07:10, 0.21s elapsed (1 total hosts)
> Read data files from: /usr/local/share/nmap
> Note: Host seems down. If it is really up, but blocking our ping probes, try
> -PN
> Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
>           Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
>
> =======================================
>
> Then, just for grins, I tried the same scan from a command line as an
> ordinary user
>
> =======================================
> testcomputer:~ walts$ nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
> 192.168.1.1
> Warning:  You are not root -- using TCP pingscan rather than ICMP
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:18 EDT
> NSE: Loaded 30 scripts for scanning.
> Initiating Ping Scan at 07:18
> Scanning 192.168.1.1 [6 ports]
> Completed Ping Scan at 07:18, 0.01s elapsed (1 total hosts)
> Initiating Parallel DNS resolution of 1 host. at 07:18
> Completed Parallel DNS resolution of 1 host. at 07:18, 0.01s elapsed
> Initiating Connect Scan at 07:18
> Scanning 0ur1an (192.168.1.1) [1000 ports]
> Discovered open port 53/tcp on 192.168.1.1
> Discovered open port 23/tcp on 192.168.1.1
> Discovered open port 80/tcp on 192.168.1.1
> Completed Connect Scan at 07:18, 2.14s elapsed (1000 total ports)
> Initiating Service scan at 07:18
> Scanning 3 services on 0ur1an (192.168.1.1)
> Completed Service scan at 07:18, 6.02s elapsed (3 services on 1 host)
> NSE: Script scanning 192.168.1.1.
> NSE: Starting runlevel 1 scan
> Initiating NSE at 07:18
> Completed NSE at 07:18, 4.26s elapsed
> NSE: Script Scanning completed.
> Host 0ur1an (192.168.1.1) is up (0.076s latency).
> Interesting ports on 0ur1an (192.168.1.1):
> Not shown: 997 closed ports
> PORT   STATE SERVICE VERSION
> 23/tcp open  telnet  DD-WRT telnetd 23 SP2 std (c) 2006 NewMedia-NET GmbH
> 53/tcp open  domain  dnsmasq 2.33
> 80/tcp open  http    Linksys wrt54g DD-WRT firmware http config
> |_ html-title: 0ur1an - Info
> Service Info: OS: Linux; Device: WAP
>
> Read data files from: /usr/local/share/nmap
> Service detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
> testcomputer:~ walts$
> =========================================
>
> ...and finally as root:
>
> =========================================
>
> testcomputer:~ walts$ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
> 192.168.1.1
> Password:
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-21 07:20 EDT
> NSE: Loaded 30 scripts for scanning.
> Initiating ARP Ping Scan at 07:20
> Scanning 192.168.1.1 [1 port]
> Completed ARP Ping Scan at 07:20, 0.21s elapsed (1 total hosts)
> Read data files from: /usr/local/share/nmap
> Note: Host seems down. If it is really up, but blocking our ping probes, try
> -PN
> Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
>           Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
> testcomputer:~ walts$
>
> ==========================================
>
> On Sep 21, 2009, at 5:03 AM, Norbert Szetei wrote:
>
> > Hello,
> >
> > I reported also this problem a few days ago, on fresh show leopard
> > installation (nmap 5.05BETA1) and without vmware.
> >
> > s.
> [SNIP]
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org