Penetration Testing mailing list archives
RE: Weird Nmap Behavior
From: mhellman () taxandfinance com
Date: Tue, 6 Oct 2009 17:34:52 -0500 (CDT)
As nice as NMAP is, there is no magic. Either get a dump or add the --packet-trace option and you can tell exactly why nmap is telling you this. By default, I believe nmap tries ICMP echo request and port 80 for host discovery. Perhaps there is some proxy ARP going on or a captured portal which results in all port 80 requests being answered? The packets do not lie...
I have noticed this as well, and it happens specifically when I try to scan over my Cisco devices. Locally, it works fine if there are no devices in the middle. The command I am using is 'nmap -sP xxx.xxx.xxx.0/24'. I only have 23 devices on that subnet powered on, yet NMAP shows them all "up". I've noticed this behavior in the last 2 versions, for sure. For example, there are no devices on any of the following IP's, and the scanning machine is behind an ASA: ........ Truncated........... Host xxx.xxx.xxx.241 is up (0.0089s latency). Host xxx.xxx.xxx.242 is up (0.011s latency). Host xxx.xxx.xxx.243 is up (0.00070s latency). Host xxx.xxx.xxx.244 is up (0.0090s latency). Host xxx.xxx.xxx.245 is up (0.011s latency). Host xxx.xxx.xxx.246 is up (0.00078s latency). Host xxx.xxx.xxx.247 is up (0.0086s latency). Host xxx.xxx.xxx.248 is up (0.011s latency). Host xxx.xxx.xxx.249 is up (0.00072s latency). Host xxx.xxx.xxx.250 is up (0.0087s latency). Host xxx.xxx.xxx.251 is up (0.0086s latency). Host xxx.xxx.xxx.252 is up (0.0013s latency). Host xxx.xxx.xxx.253 is up (0.00094s latency). Host xxx.xxx.xxx.254 is up (0.0072s latency). Host xxx.xxx.xxx.255 is up (0.0094s latency). Nmap done: 256 IP addresses (256 hosts up) scanned in 5.58 seconds ----------------------------------------Date: Mon, 5 Oct 2009 23:08:05 +0530 Subject: Weird Nmap Behavior From: arvind.doraiswamy () gmail com To: pen-test () securityfocus com Hey Pplz, I wanted to check if any of you guys have come across this behavior. We routinely scan large networks using Nmap - so we thought we'd use it to also try and discover what IP's were live. Now note that this discussion covers hosts on the Internet and not on the LAN. So while testing out Nmap 4.76/5.00 we scanned one of our own IP ranges to check if it detected what was up and what was down. Now note that we know for a fact that out of the 16 IP's we scanned not all were live. So we did expect atleast some to be down. But strangely Nmap said that all 16 IP's were "up". Sure all ports were filtered - but the IP's were up. We're running SYN scans with a -PN switch as well and am quite sure it wasn't our firewall doing this - because we weren't doing any blocking as such( 3 IP's were live - ping). Now I'm a little confused - Firstly ofcourse an IP can be live while having say 65535 ports filtered coz its behind a firewall. Which then brings me to the next 2 questions: --- If every port is filtered and ping is blocked(Internet) how does Nmap decide that a host is up? --- How would you explain behavior like the above where I know for a fact an IP hasn't been assigned to a server/device/anything? Lastly if I want to test known "down" IP's are there any such IP's? Not misspelt domain names as of now - just test "down" IP addresses. Finally if this behavior for Nmap is how it is and can't be changed(due to whatever stack dependencies etc , just shooting in the air here) isn't this giving in accurate results? What is a workaround? Thnx Arvind ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------_________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Weird Nmap Behavior arvind doraiswamy (Oct 05)
- Re: Weird Nmap Behavior Wim Remes (Oct 06)
- Re: Weird Nmap Behavior Robert Portvliet (Oct 06)
- RE: Weird Nmap Behavior Gorgon Beast (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- RE: Weird Nmap Behavior mhellman (Oct 06)
- Re: Weird Nmap Behavior Jon Kibler (Oct 06)
- Re: Weird Nmap Behavior yaroslav (Oct 06)
- Re: Weird Nmap Behavior τ∂υƒιφ * (Oct 06)
- Re: Weird Nmap Behavior Tim (Oct 06)
- Re: Weird Nmap Behavior rajat swarup (Oct 06)