Re: nmap from PHP script.

[Rob Nicholls <robert () robnicholls co uk>]

On Tue, 15 Feb 2011 14:12:21 +0000, Daniel Cba. wrote:
> hello people
> when I run nmap from a php script finds 26 hosts
>
> <?php
> $output = shell_exec('nmap -sP 10.101.154.1-255');
> echo "<pre>$output</pre>";
> ?>
>
> Nmap done: 255 IP addresses (26 hosts up) scanned in 8.62 seconds
>
> and from command line finds 104 host
> #root>nmap -sP 10.101.154.1-255
>
> Nmap done: 255 IP addresses (104 hosts up) scanned in 5.43 seconds

Hi Daniel,

Are you running the PHP script using the root user? Or (more likely) is 
PHP using a low privilege account?

If you run Nmap from the command line using your root account and the 
Nmap option --unprivileged you'll only see responses from hosts that 
have certain ports open (80/tcp and 443/tcp). I'm guessing you'll only 
see 26 hosts, all of them web servers.

If you run Nmap as root then it'll also be able to send ARP requests 
for the local subnet and ICMP requests for non-local address ranges. 
This could identify several more devices and probably explains why only 
26 show up from PHP and why 104 show up from the command line. It might 
also explain why the scan is a lot quicker, as Nmap won't wait and retry 
filtered ports for hosts if they can simply rely on an ARP response 
instead.

It's not usually wise to allow PHP to run commands as root, especially 
if users can influence the input to scripts (in this case it appears you 
can't as you've hardcoded the Nmap command). If you want to run Nmap 
using a PHP script then hopefully someone else on this list can suggest 
a good way of doing it (probably using sudo and /etc/sudoers, but I'm 
not sure as I've never tried it myself).

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/