mailing list archives
Re: nmap from PHP script.
From: Rob Nicholls <robert () robnicholls co uk>
Date: Tue, 15 Feb 2011 14:55:45 +0000
On Tue, 15 Feb 2011 14:12:21 +0000, Daniel Cba. wrote:
when I run nmap from a php script finds 26 hosts
$output = shell_exec('nmap -sP 10.101.154.1-255');
Nmap done: 255 IP addresses (26 hosts up) scanned in 8.62 seconds
and from command line finds 104 host
#root>nmap -sP 10.101.154.1-255
Nmap done: 255 IP addresses (104 hosts up) scanned in 5.43 seconds
Are you running the PHP script using the root user? Or (more likely) is
PHP using a low privilege account?
If you run Nmap from the command line using your root account and the
Nmap option --unprivileged you'll only see responses from hosts that
have certain ports open (80/tcp and 443/tcp). I'm guessing you'll only
see 26 hosts, all of them web servers.
If you run Nmap as root then it'll also be able to send ARP requests
for the local subnet and ICMP requests for non-local address ranges.
This could identify several more devices and probably explains why only
26 show up from PHP and why 104 show up from the command line. It might
also explain why the scan is a lot quicker, as Nmap won't wait and retry
filtered ports for hosts if they can simply rely on an ARP response
It's not usually wise to allow PHP to run commands as root, especially
if users can influence the input to scripts (in this case it appears you
can't as you've hardcoded the Nmap command). If you want to run Nmap
using a PHP script then hopefully someone else on this list can suggest
a good way of doing it (probably using sudo and /etc/sudoers, but I'm
not sure as I've never tried it myself).
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/