Penetration Testing mailing list archives
Re: Weird Nmap Behavior
From: Robert Portvliet <robert.portvliet () gmail com>
Date: Tue, 6 Oct 2009 09:47:35 -0400
If you have the -PN switch set it won't do any checks to see if the host is up, it will just scan... so that's probably where you're getting the false positives from. I believe the default 'ping' behaviour with NMAP now is to send a tcp packet to port 80 instead of using ICMP as this is allowed through much more often. If I'm incorrect, someone please correct me as it's been a bit since I read Fyoder's book & I don't have it on hand at the moment. On Mon, Oct 5, 2009 at 1:38 PM, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
Hey Pplz, I wanted to check if any of you guys have come across this behavior. We routinely scan large networks using Nmap - so we thought we'd use it to also try and discover what IP's were live. Now note that this discussion covers hosts on the Internet and not on the LAN. So while testing out Nmap 4.76/5.00 we scanned one of our own IP ranges to check if it detected what was up and what was down. Now note that we know for a fact that out of the 16 IP's we scanned not all were live. So we did expect atleast some to be down. But strangely Nmap said that all 16 IP's were "up". Sure all ports were filtered - but the IP's were up. We're running SYN scans with a -PN switch as well and am quite sure it wasn't our firewall doing this - because we weren't doing any blocking as such( 3 IP's were live - ping). Now I'm a little confused - Firstly ofcourse an IP can be live while having say 65535 ports filtered coz its behind a firewall. Which then brings me to the next 2 questions: --- If every port is filtered and ping is blocked(Internet) how does Nmap decide that a host is up? --- How would you explain behavior like the above where I know for a fact an IP hasn't been assigned to a server/device/anything? Lastly if I want to test known "down" IP's are there any such IP's? Not misspelt domain names as of now - just test "down" IP addresses. Finally if this behavior for Nmap is how it is and can't be changed(due to whatever stack dependencies etc , just shooting in the air here) isn't this giving in accurate results? What is a workaround? Thnx Arvind ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)