Re: Weird Nmap Behavior

[Tim <tim-pentest () sentinelchicken org>]

> Now note that we know for a fact that out of the 16 IP's we scanned
> not all were live. So we did expect atleast some to be down. But
> strangely Nmap said that all 16 IP's were "up". Sure all ports were
> filtered - but the IP's were up. We're running SYN scans with a -PN
> switch as well and am quite sure it wasn't our firewall doing this -
> because we weren't doing any blocking as such( 3 IP's were live -
> ping).

By using '-PN' you are explicitly telling nmap that every host is
alive so don't ping it.  It's just giving you back what you told it.

A better approach to determine what hosts are alive is to use an '-sP'
scan with complex -P options (which can include UDP and TCP probes on
multiple ports as well as different ICMP queries and a whole host of
other things).  Then if any of those probes comes back, nmap will
treat it as alive.

tim

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------