Nmap Development mailing list archives

Re: bug - scan fails first time, runs 2nd

From: "^..^" <zenfish () gmail com>
Date: Wed, 22 Aug 2012 06:05:36 -0700

Following up to my own….

(Behavior on Mtn. Lion, nmap v 6.01.)

It looks like nmap is doing an ARP ping scan the first time it looks at something it hasn't seen before; the -vv flags 
show this:

# nmap -vv -p 80 128.128.128.128

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-22 05:59 PDT
Initiating ARP Ping Scan at 05:59
Scanning 128.128.128.128 [1 port]
Completed ARP Ping Scan at 05:59, 0.41s elapsed (1 total hosts)
Nmap scan report for 128.128.128.128 [host down]
Read data files from: /usr/local/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.44 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

sh-3.2# nmap -vv -p 80 128.128.128.128

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-22 05:59 PDT
Initiating Ping Scan at 05:59
Scanning 128.128.128.128 [4 ports]
Completed Ping Scan at 05:59, 3.02s elapsed (1 total hosts)
Nmap scan report for 128.128.128.128 [host down]
Read data files from: /usr/local/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

-- d

^..^

On Aug 21, 2012, at 4:59 PM, ^..^ <zenfish () gmail com> wrote:

(I searched and didn't find anything about this, but didn't see anything; mea culpa if it's something obvious.  I 
heavily modify my systems, but since this is a new OS (mountain lion) I haven't had a chance to bork it too badly 
yet.  I think.)


Synopsis: When using Apple's Mountain Lion and nmap 6.0.1, a FQDN as a previously unresolved target on the mac it 
will do nothing (no output, no packets out.)  A repeated exact same scan will work the 2nd time.  IPs, CIDR blocks 
and other targeting thingees seem to work just fine.

Problem: It might be intermittent.  I noticed some strangeness and usually nmap doesn't work, but then when testing 
the damn thing it does from time to time… this could be due to all my various services on my network talking to some 
external machine (I didn't feel like shutting everything down just to test.)


In any case, if of use.

Some output/tests - 

sh-3.2# uname -a
Darwin fierce 12.0.0 Darwin Kernel Version 12.0.0: Sun Jun 24 23:00:16 PDT 2012; root:xnu-2050.7.9~1/RELEASE_X86_64 
x86_64

sh-3.2# nmap -p 80 ae-7-7.car1.Boston1.Level3.net

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-21 16:41 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.50 seconds

sh-3.2# nmap -p 80 ae-7-7.car1.Boston1.Level3.net

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-21 16:41 PDT
Nmap scan report for ae-7-7.car1.Boston1.Level3.net (4.69.132.241)
Host is up (0.099s latency).
PORT   STATE  SERVICE
80/tcp closed http

Packet sniffing at the same time reveals nothing except the DNS query going out (192.168.0.6 is the mountain lion 
system); the first few lines are the request from the first run, the 2nd set of packets are nmap talking to host 
above:

# tshark src host 192.168.0.6
Capturing on en0
  0.000000  192.168.0.6 -> 192.168.0.55 DNS 83 Standard query 0x5689  A internalcheck.apple.com
  1.079708  192.168.0.6 -> 192.168.0.55 DNS 90 Standard query 0x82fe  A ae-7-7.car1.Boston1.Level3.net
  1.134572 Apple_0b:0b:bd -> Broadcast    ARP 42 Who has 4.69.132.241?  Tell 192.168.0.6
  1.337248 Apple_0b:0b:bd -> Broadcast    ARP 42 Who has 4.69.132.241?  Tell 192.168.0.6

  2.400217  192.168.0.6 -> 4.69.132.241 ICMP 42 Echo (ping) request  id=0x438d, seq=0/0, ttl=45
  2.400224  192.168.0.6 -> 4.69.132.241 TCP 58 48694 > https [SYN] Seq=0 Win=1024 Len=0 MSS=1460
  2.400226  192.168.0.6 -> 4.69.132.241 TCP 54 48694 > http [ACK] Seq=1 Ack=1 Win=1024 Len=0
  2.400230  192.168.0.6 -> 4.69.132.241 ICMP 54 Timestamp request    id=0x1347, seq=0/0, ttl=45
  2.507217  192.168.0.6 -> 8.8.8.8      DNS 85 Standard query 0xebc0  PTR 241.132.69.4.in-addr.arpa
  2.536883  192.168.0.6 -> 4.69.132.241 TCP 58 [TCP Port numbers reused] 48694 > http [SYN] Seq=0 Win=1024 Len=0 
MSS=1460

dan

^..^


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

bug - scan fails first time, runs 2nd ^..^ (Aug 21)
- Re: bug - scan fails first time, runs 2nd ^..^ (Aug 22)
  - Re: bug - scan fails first time, runs 2nd David Fifield (Sep 06)