Re: nmap -sP showing hosts is up while it is down

[Rob Nicholls <robert () robnicholls co uk>]

On Thu, 25 Feb 2010 15:37:18 +0100, nmapuseraix <nmapuseraix () o2 pl> wrote:
> When I ping (using "ping") those hosts they do not respond to echo.

Nmap's -sP command sends more than an ICMP echo request:

http://nmap.org/book/man-host-discovery.html

"The -sP option sends an ICMP echo request, TCP SYN to port 443, TCP ACK
to port 80, and an ICMP timestamp request by default"

> Running:
> nmap -n -sP -T4  10.33.7.0/24
> Results in:
> Nmap done: 256 IP addresses (256 hosts up) scanned in 0.12 seconds
> Timing doesn't seem correct as well, so why is nmap acting like that?
Bug?

Are you on the same subnet? From the same link as above:

"When a privileged user tries to scan targets on a local ethernet network,
ARP requests are used unless --send-ip was specified"

ARP responses are typically pretty quick. I must admit I'd expect it to
take a few seconds to scan a class C, but that's if most hosts are down.
Something appears to be responding to ARP requests for every IP address,
which might explain why it was so quick. This is sometimes down to
poor/lazy network configuration. You can add "--reason" to your command to
see if they're marked as up because you're getting an arp-response back.

If you're not on the same subnet, perhaps you're hitting a firewall that
returns TCP resets for hosts that don't exist (some firewalls do this to
avoid long connection timeouts for users)? Again, "--reason" will help you
work out why Nmap thinks the host at that IP address is up. This might
explain why you're seeing every host in other class C ranges coming back as
up. Either that or all of them have TCP ports 80 and/or 443 open!

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/