Penetration Testing mailing list archives

Re: Weird Nmap Behavior

From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 06 Oct 2009 16:02:29 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gorgon Beast wrote:

I have noticed this as well, and it happens specifically when I try to scan over my Cisco devices.  Locally, it works 
fine if there are no devices in the middle.  The command I am using is 'nmap -sP xxx.xxx.xxx.0/24'.  I only have 23 
devices on that subnet powered on, yet NMAP shows them all "up".

I've noticed this behavior in the last 2 versions, for sure.  For example, there are no devices on any of the 
following IP's, and the scanning machine is behind an ASA:

........ Truncated...........
Host xxx.xxx.xxx.241 is up (0.0089s latency).
Host xxx.xxx.xxx.242 is up (0.011s latency).
Host xxx.xxx.xxx.243 is up (0.00070s latency).
Host xxx.xxx.xxx.244 is up (0.0090s latency).
Host xxx.xxx.xxx.245 is up (0.011s latency).
Host xxx.xxx.xxx.246 is up (0.00078s latency).
Host xxx.xxx.xxx.247 is up (0.0086s latency).
Host xxx.xxx.xxx.248 is up (0.011s latency).
Host xxx.xxx.xxx.249 is up (0.00072s latency).
Host xxx.xxx.xxx.250 is up (0.0087s latency).
Host xxx.xxx.xxx.251 is up (0.0086s latency).
Host xxx.xxx.xxx.252 is up (0.0013s latency).
Host xxx.xxx.xxx.253 is up (0.00094s latency).
Host xxx.xxx.xxx.254 is up (0.0072s latency).
Host xxx.xxx.xxx.255 is up (0.0094s latency).
Nmap done: 256 IP addresses (256 hosts up) scanned in 5.58 seconds


This is because the ASA proxies all outbound connections. That is why I asked in
the original post regarding the firewall layout relative to the network.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrLolUACgkQUVxQRc85QlOf5gCgj0lTXAXjP9HNytRkFmWycS+R
WngAn1Fk6+HQLdWXPkOhmPOkGWOrWUYP
=o8Gj
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
  - Re: Weird Nmap Behavior Jon Kibler (Oct 06)
  - RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)