Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Nmap does not perform reliable scans on Solaris 11
From: David Fifield <david () bamsoftware com>
Date: Sat, 21 May 2011 11:57:43 -0700

On Sat, May 21, 2011 at 08:33:57PM +0200, Giovanni Schmid wrote:
On Mon, May 16, 2011 at 08:46:06PM +0200, Giovanni Schmid wrote:
 Hi,

I tested Nmap 5.21 on Oracle Solaris 11 and found that it only
apparently works. Actually, many different scan sessions (with
different options and  targets) got wrong results. For ex., the
following scan is related to a host with 22/tcp (SSH) and  111/tcp
(rpcbind) open; however the two services are not detected. Morever,
turning off the -PN  option results in an host apparently blocking up
ping probes. This is not the case, instead.

# nmap -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:13 CEST
Note: Host seems down. If it is really up, but blocking our ping probes,
try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.60 seconds

# nmap -PN -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:14 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered
Too many fingerprints match this host to give specific OS details

TRACEROUTE (using proto 1/icmp)
HOP RTT    ADDRESS
1   ... 30

# nmap -PN -sS 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:34 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.16 seconds

Thank you for reporting this. We need some more information from you. Do
the wrong results happen every time, or only sometimes? Is it only this
IP address that has the problem, or other LAN addresses, or all
addresses?

Hi David.

The wrong results happen every time, and for different hosts in the same
LAN. There were no firewalls among the targets and the scanning host.
Moreover, I compared the results for the above targets against another
scanning host running Nmap 4.x on Linux in the same LAN, and in this
case the results were correct.

It looks like you are getting no reponses at all from the target. Is
there a firewall or something similar in the way? What output do you see
when you run the command
    ssh -v 172.16.3.42

At  this moment I cannot run the above command, since I am at home and
172.16.3.42 in not reachable through the Internet. However 172.16.3.42
is a Solaris 11 box too, and its sshd should be

Sun_SSH_1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090801f

or above.

I didn't mean to ask for the SSH version number; it's just that I would
be surprised if ssh works at all if Nmap can get no responses.

Can you try the scan again, this time with --unprivileged?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]