Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Issues with privileged scan of LAN on Mac OS X

From: Jesper Kückelhahn <dev.kyckel () gmail com>
Date: Sun, 27 Jan 2013 13:01:04 +0100
Hi List,

I'm seeing some strange behaviour when running privileged scans against hosts in my LAN. nmap marks the target as being 
down, but if I run unprivileged, it works fine. This does not happen when scanning external targets. I've checked out 
previous revisions (back to r30000), to see if it might be a patch that broke something, but I haven't found any 
differences. Could this issue be caused by a change in OS X ? Unfortunately, I don't have access to previous versions 
(I'm on 10.8.2), so I can't test if this is the case.

Any ideas on why this is happening ?


- Jesper

--------------------------------------------------------------------------------

$ nmap -d 192.168.1.23

Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-01-27 11:33 CET
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 11:33
Scanning 192.168.1.23 [2 ports]
Completed Ping Scan at 11:33, 0.00s elapsed (1 total hosts)
Overall sending rates: 3514.94 packets / s.
mass_rdns: Using DNS server xxx
mass_rdns: Using DNS server xxx
Initiating Parallel DNS resolution of 1 host. at 11:33
mass_rdns: 0.09s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 11:33, 0.09s elapsed
DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:33
Scanning 192.168.1.23 [1000 ports]
Discovered open port 8080/tcp on 192.168.1.23
Discovered open port 22/tcp on 192.168.1.23
Discovered open port 995/tcp on 192.168.1.23
Discovered open port 445/tcp on 192.168.1.23
Discovered open port 139/tcp on 192.168.1.23
Discovered open port 110/tcp on 192.168.1.23
Discovered open port 53/tcp on 192.168.1.23
Discovered open port 80/tcp on 192.168.1.23
Discovered open port 993/tcp on 192.168.1.23
Discovered open port 25/tcp on 192.168.1.23
Discovered open port 143/tcp on 192.168.1.23
Discovered open port 5432/tcp on 192.168.1.23
Completed Connect Scan at 11:33, 0.03s elapsed (1000 total ports)
Overall sending rates: 29619.98 packets / s.
Nmap scan report for 192.168.1.23
Host is up, received syn-ack (0.00081s latency).
Scanned at 2013-01-27 11:33:00 CET for 0s
Not shown: 988 closed ports
Reason: 988 conn-refused
PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack
25/tcp   open  smtp         syn-ack
53/tcp   open  domain       syn-ack
80/tcp   open  http         syn-ack
110/tcp  open  pop3         syn-ack
139/tcp  open  netbios-ssn  syn-ack
143/tcp  open  imap         syn-ack
445/tcp  open  microsoft-ds syn-ack
993/tcp  open  imaps        syn-ack
995/tcp  open  pop3s        syn-ack
5432/tcp open  postgresql   syn-ack
8080/tcp open  http-proxy   syn-ack
Final times for host: srtt: 808 rttvar: 28  to: 100000

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds


--------------------------------------------------------------------------------

$ sudo nmap -ddd 192.168.1.23

Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-01-27 11:34 CET
Fetchfile found /usr/local/bin/../share/nmap/nmap-services
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Fetchfile found /usr/local/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
doing 0.0.0.0 = 192.168.1.23
Fetchfile found /usr/local/bin/../share/nmap/nmap-payloads
Initiating ARP Ping Scan at 11:34
Scanning 192.168.1.23 [1 port]
Packet capture filter (device en1): arp and arp[18:4] = 0xE4CE8F35 and arp[22:2] = 0x7D32
SENT (0.0359s) ARP who-has 192.168.1.23 tell 192.168.1.15
**TIMING STATS** (0.0360s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 1315.79 packets / s, 55263.16 bytes / s.
Overall sending rates: 1315.79 packets / s, 55263.16 bytes / s.
SENT (0.2443s) ARP who-has 192.168.1.23 tell 192.168.1.15
**TIMING STATS** (0.2445s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 9.56 packets / s, 401.42 bytes / s.
Overall sending rates: 9.56 packets / s, 401.42 bytes / s.
**TIMING STATS** (0.4508s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 4.81 packets / s, 202.13 bytes / s.
Overall sending rates: 4.81 packets / s, 202.13 bytes / s.
ultrascan_host_probe_update called for machine 192.168.1.23 state UNKNOWN -> HOST_DOWN (trynum 1 time: 217789)
Moving 192.168.1.23 to completed hosts list with 1 outstanding probe.
Completed ARP Ping Scan at 11:34, 0.43s elapsed (1 total hosts)
Overall sending rates: 4.68 packets / s, 196.73 bytes / s.
pcap stats: 6 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server xxx
mass_rdns: Using DNS server xxx
Nmap scan report for 192.168.1.23 [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)


--------------------------------------------------------------------------------

$ sudo nmap -Pn 192.168.1.23

Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-01-27 12:32 CET
Nmap done: 1 IP address (0 hosts up) scanned in 0.51 seconds
HomerMac:nmap kyckel$ sudo nmap -Pn -ddd 192.168.1.23

Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-01-27 12:32 CET
Fetchfile found /usr/local/bin/../share/nmap/nmap-services
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Fetchfile found /usr/local/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /usr/local/bin/../share/nmap/nmap-payloads
Initiating ARP Ping Scan at 12:32
Scanning 192.168.1.23 [1 port]
Packet capture filter (device en1): arp and arp[18:4] = 0xE4CE8F35 and arp[22:2] = 0x7D32
SENT (0.0336s) ARP who-has 192.168.1.23 tell 192.168.1.15
**TIMING STATS** (0.0336s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 1926.78 packets / s, 80924.86 bytes / s.
Overall sending rates: 1926.78 packets / s, 80924.86 bytes / s.
SENT (0.2394s) ARP who-has 192.168.1.23 tell 192.168.1.15
**TIMING STATS** (0.2396s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 9.68 packets / s, 406.68 bytes / s.
Overall sending rates: 9.68 packets / s, 406.68 bytes / s.
**TIMING STATS** (0.4478s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 200000/-1/-1
Current sending rates: 4.82 packets / s, 202.53 bytes / s.
Overall sending rates: 4.82 packets / s, 202.53 bytes / s.
ultrascan_host_probe_update called for machine 192.168.1.23 state UNKNOWN -> HOST_DOWN (trynum 1 time: 219691)
Moving 192.168.1.23 to completed hosts list with 1 outstanding probe.
Completed ARP Ping Scan at 12:32, 0.43s elapsed (1 total hosts)
Overall sending rates: 4.69 packets / s, 197.11 bytes / s.
pcap stats: 3 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server xxx
mass_rdns: Using DNS server xxx
Nmap scan report for 192.168.1.23 [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)


--------------------------------------------------------------------------------
$ sudo nmap -Pn -d scanme.nmap.org

Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-01-27 12:34 CET
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server xxx
mass_rdns: Using DNS server xxx
Initiating Parallel DNS resolution of 1 host. at 12:34
mass_rdns: 1.18s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 12:34, 1.18s elapsed
DNS resolution of 1 IPs took 1.18s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:34
Scanning scanme.nmap.org (74.207.244.221) [1000 ports]
Packet capture filter (device en1): dst host 192.168.1.15 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 
74.207.244.221)))
Increased max_successful_tryno for 74.207.244.221 to 1 (packet drop)
Discovered open port 80/tcp on 74.207.244.221
Discovered open port 22/tcp on 74.207.244.221
Increasing send delay for 74.207.244.221 from 0 to 5 due to 11 out of 22 dropped probes since last increase.
Increased max_successful_tryno for 74.207.244.221 to 2 (packet drop)
SYN Stealth Scan Timing: About 44.12% done; ETC: 12:36 (0:00:39 remaining)
Increased max_successful_tryno for 74.207.244.221 to 3 (packet drop)
Discovered open port 9929/tcp on 74.207.244.221
Completed SYN Stealth Scan at 12:35, 62.38s elapsed (1000 total ports)
Overall sending rates: 17.62 packets / s, 775.24 bytes / s.
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up, received user-set (0.46s latency).
Scanned at 2013-01-27 12:34:56 CET for 63s
Not shown: 993 closed ports
Reason: 993 resets
PORT     STATE    SERVICE      REASON
22/tcp   open     ssh          syn-ack
80/tcp   open     http         syn-ack
135/tcp  filtered msrpc        no-response
139/tcp  filtered netbios-ssn  no-response
445/tcp  filtered microsoft-ds no-response
646/tcp  filtered ldp          no-response
9929/tcp open     nping-echo   syn-ack
Final times for host: srtt: 459281 rttvar: 47754  to: 650297

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 63.59 seconds
           Raw packets sent: 1099 (48.356KB) | Rcvd: 1036 (41.460KB)           

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: