Re: Don't know if this is a bug or not.

[Brandon Enright <bmenrigh () ucsd edu>]

On Thu, 9 Jul 2009 16:30:39 -0400 or thereabouts "Rick Rambo"
<RamboRL () Booth-Assoc com> wrote:

> (using Zenmap 4.90RC1)
> While scanning our public facing IP range, I got a return on an IP
> address I know is not used.  I re-scanned that IP with an Intense
> scan with TCP.  That scan identified a Dlink DWL-2100AP wireless
> access point.
>
> T1 from ISP to their single port router. -> single cable to Bay Stack
> hub. Bay hub connects our outward facing devices.  All cables out of
> hub are accounted for.
>
> I am emailing our ISP to see if there is possibly a piece of
> equipment at their premises, but I would doubt that would be the case.
>
> I did the original scanning with the Version 4 beta I had installed.
> Is it possible this is a "false positive"?
>
> I've included the scan results xml file.
>
>
> .confused
> .rick..
> --
> Rick Rambo


Rick,

I'm a little confused by your question.  To answer your subject line,
no, what you presented does not look like any sort of bug in Nmap.  If
you were asking if there is a chance that there really isn't any
machine at that IP address, yes, a slim chance, I'll explain later.  If
you are asking if the the OS detection results that say the device is a
"Dlink DWL-2100AP" really is true, no, that detection could easily be
wrong since there wasn't enough information for a good quality test.

So first, it sounds like you are confused as to why Nmap even said that
this host is up.  You host discovery with "-PE -PA21,23,80,3389" and
Nmap said the host is up.  We don't know which of those probes though
triggered a response so first you should figure out what is triggering
the host up by doing a ping scan with --reason like so:

$ sudo nmap -sP -T4 -v -PE -PA21,23,80,3389 67.141.231.231

Instead of just telling you the host is up, Nmap will tell you which
prob successfully determined that.  There is a slim chance that there
really isn't a host there.  In that case, what would be happening is
that there is some other networking device between you and wherever
that IP routes to that is responding in a way that make Nmap think a
host is there.  It isn't terribly uncommon for various network
middleboxes to do things like this.

Notice in you scan that all ports 1-65535 came back as filtered.  When
you do OS detection, you really need at least one open and one closed
port.  It seems like OS detection got some response from the host but
whatever the response is, it could have been the same network effect
that showed the host as up (if it isn't really there).

You'd do best to run this scan again using at least debugging 2 (use the
-d2 flag) to get an idea of what is coming back to you.  You can also
look at the OS fingerprint and see what probes illicited a response.

If you are feeling really adventurous, you can even re-run the scan
with --packet-trace to see every probe sent and received.

Regards,

Brandon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org