Re: Weird Nmap Behavior

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

arvind doraiswamy wrote:
> Hey Pplz,
> I wanted to check if any of you guys have come across this behavior.
> We routinely scan large networks using Nmap - so we thought we'd use
> it to also try and discover what IP's were live.
>
> Now note that this discussion covers hosts on the Internet and not on
> the LAN. So while testing out Nmap 4.76/5.00 we scanned one of our own
> IP ranges to check if it detected what was up and what was down.
>
> Now note that we know for a fact that out of the 16 IP's we scanned
> not all were live. So we did expect atleast some to be down. But
> strangely Nmap said that all 16 IP's were "up". Sure all ports were
> filtered - but the IP's were up. We're running SYN scans with a -PN
> switch as well and am quite sure it wasn't our firewall doing this -
> because we weren't doing any blocking as such( 3 IP's were live -
> ping).
>
> Now I'm a little confused - Firstly ofcourse an IP can be live while
> having say 65535 ports filtered coz its behind a firewall. Which then
> brings me to the next 2 questions:
> --- If every port is filtered and ping is blocked(Internet) how does
> Nmap decide that a host is up?
> --- How would you explain behavior like the above where I know for a
> fact an IP hasn't been assigned to a server/device/anything?
>
> Lastly if I want to test known "down" IP's are there any such IP's?
> Not misspelt domain names as of now - just test "down" IP addresses.
>
> Finally if this behavior for Nmap is how it is and can't be
> changed(due to whatever stack dependencies etc , just shooting in the
> air here) isn't this giving in accurate results? What is a workaround?
>
> Thnx
> Arvind

1) From what O/S did you issue the command?

2) What is the exact nmap command used? (x out first 3 octets of address:
x.y.z.32-47 for example)

3) You mentioned a firewall...
   a) Was the system you were scanning from behind a firewall / proxy / etc.?
   b) Was the systems being scanned behind a firewall / proxy /etc.?
   c) Both

4) Rerun the command with the '--reason' option specified. That will tell you
the exact response received and from where (host IP vs. firewall IP).

5) Were any of the IPs in the range that you scanned either the netblock's
network number or broadcast address?

Bottom line: nmap reports a host up when it gets any response from the host's IP
address, even if it is not the host that is responding. If I had to guess,
either your firewall(s) are messing with you, or you are sending traffic to a
netnum or bcast address and getting false responses.

Hope this helps!

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrK3xwACgkQUVxQRc85QlNXZgCdGN+uUaiJ3RiutUPhaPNNI9xz
fYoAniyZBxFk/PNpbhWrWQbDuhF1Y/pq
=JUDa
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------