Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap from PHP script.
From: Rob Nicholls <robert () robnicholls co uk>
Date: Tue, 15 Feb 2011 14:55:45 +0000

On Tue, 15 Feb 2011 14:12:21 +0000, Daniel Cba. wrote:
hello people
when I run nmap from a php script finds 26 hosts

$output = shell_exec('nmap -sP');
echo "<pre>$output</pre>";

Nmap done: 255 IP addresses (26 hosts up) scanned in 8.62 seconds

and from command line finds 104 host
#root>nmap -sP

Nmap done: 255 IP addresses (104 hosts up) scanned in 5.43 seconds

Hi Daniel,

Are you running the PHP script using the root user? Or (more likely) is PHP using a low privilege account?

If you run Nmap from the command line using your root account and the Nmap option --unprivileged you'll only see responses from hosts that have certain ports open (80/tcp and 443/tcp). I'm guessing you'll only see 26 hosts, all of them web servers.

If you run Nmap as root then it'll also be able to send ARP requests for the local subnet and ICMP requests for non-local address ranges. This could identify several more devices and probably explains why only 26 show up from PHP and why 104 show up from the command line. It might also explain why the scan is a lot quicker, as Nmap won't wait and retry filtered ports for hosts if they can simply rely on an ARP response instead.

It's not usually wise to allow PHP to run commands as root, especially if users can influence the input to scripts (in this case it appears you can't as you've hardcoded the Nmap command). If you want to run Nmap using a PHP script then hopefully someone else on this list can suggest a good way of doing it (probably using sudo and /etc/sudoers, but I'm not sure as I've never tried it myself).


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]