mailing list archives
Nmap 4.11: False positive ping results
From: Vitaly McLain <VMcLain () crowechizek com>
Date: Fri, 21 Jul 2006 15:55:27 -0500
Just wanted to let you know that we got some interesting false positives
with Nmap during a ping sweep. We used the -sP option (and nothing else) to
ping sweep a client's Class C.
Here is what happened:
1. Nmap 4.03 and Nmap 4.11, under Windows XP SP1 and SP2, reported all 254
hosts as up.
2. Angry IP Scanner reports 2 hosts as being up, even after being made less
angry (slowed down).
3. Nmap 4.10 under Linux (kernel 2.4.25) says 22 hosts are up.
Number #3 (Nmap/Linux) is the only correct answer!
So we scanned yet another Class C the client owns. Nmap/Windows found all
254 to be up, yet again. Angry found 8 (for comparison.) Nmap/Linux found
13 -- once again, this was the right answer.
All boxes are in the DMZ of a PIX, on the same switch. I'd be happy to do
any tests you'd like, though I am not sure if can we give you the IPs to
Risk and Performance Services
Crowe Chizek and Company LLC
Direct : (630) 575-4346
Mobile: (224) 558-5979
UNDER U.S. TREASURY RULES ISSUED in 2005, we must inform you that any advice in this communication to you was not
intended or written to be used, and cannot be used, to avoid any government penalties that may be imposed on a taxpayer.
This message may contain privileged or confidential information. If you are not the intended recipient of this
message, you may not make any use of, or rely in any way on, this information, and you should destroy this message and
notify the sender by reply email. Any opinions or advice contained in this email are subject to the terms and
conditions in any applicable client engagement letter or service agreement.
Sent through the nmap-dev mailing list
- Nmap 4.11: False positive ping results Vitaly McLain (Jul 21)