Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bug or host evasive action?

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Apr 2012 23:51:13 -0500
I'd be willing to bet that if you either ran Nmap as root or used a
slower timing (e.g. -T2), you'd be able to detect it. As an embedded
system, the router probably is running a single-threaded HTTP server,
and when Nmap performs a connection on port 80 to do host detection
(the default when running unprivileged), the server still considers
that connection open for a while afterwards, and so ignores the second
probe from the port scan phase. Scanning the whole network puts a
small delay between the phases as Nmap finishes scanning the rest of
the network, so the server has a chance to "reset" the socket.

Dan

On Thu, Apr 19, 2012 at 11:22 PM, Britton Kerin <britton.kerin () gmail com> wrote:

Hi guys,

I guess any weirdness you see as a result of scans could be hosts
taking evasive action or something, but this strikes me as weird.

When I skip host detection, the http server on one of the Linksys
wireless routers gets found, but not if I don't:

    $ nmap -Pn 192.168.1.1

    Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:19 AKDT
    Nmap scan report for 192.168.1.1
    Host is up (0.0061s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    80/tcp open  http

    Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds
    $ nmap 192.168.1.1

    Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:19 AKDT
    Nmap scan report for 192.168.1.1
    Host is up (0.012s latency).
    All 1000 scanned ports on 192.168.1.1 are closed

    Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds

Scanning the entire network also finds the http port:

    $ nmap 192.168.1.0/24

    Starting Nmap 5.51 ( http://nmap.org ) at 2012-04-19 20:02 AKDT
    Nmap scan report for 192.168.1.1
    Host is up (0.0044s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    80/tcp open  http

    Nmap scan report for 192.168.1.25
    Host is up (0.029s latency).
    Not shown: 995 closed ports

    [snip other hosts]

Is the router maybe hiding because it just got discovered or something,
or could this be some sort of nmap bug?

Thanks,
Britton Kerin
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: