Security Basics mailing list archives

Re: nmap -sP -PE -R -v behaves differently with root/un-root

From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 08 Aug 2011 13:33:27 -0500

Marc Ouwerkerk <olderchurch () gmail com> writes:

-PE and -sP are both used for discovery. -sP has different behavior
for root and non-root users. From the manual:

Ping Scan [-sP]

...


When you run an Nmap ping scan as root, the default is to use the ICMP
and ACK methods. Non-root users will use the connect() method, which
attempts to connect to a machine, waiting for a response, and tearing
down the connection as soon as it has been established (similar to the
SYN/ACK method for root users, but this one establishes a full TCP
connection!)

I too have run across networks where results from the nmap ICMP
discovery, or syn scanning, while doing a full tcp connect scan or tcp
connect method based discovery using nmap or another custom written
tool yields far more targets.

As for reasons...

nmap without doing much customizing on the command line stands out to
IPS pretty readily. So, one explanation could be that the network you
are targetting is running IPS which is detecting the scan and
swallowing packets in one mode, but not the other.

If you're interested in further permutations, see if slowing the root
scan with a -T2 changes the results from the default. If you get it
slow enough perhaps it's outside what the IPS is interested in.

For particularly non-forthcoming networks, there's nothing like
nmap Idle scan for handling that pesky IPS, or at least giving yet
another look at the network to enumerate targets.

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

nmap -sP -PE -R -v behaves differently with root/un-root John Hunter (Aug 05)
- Re: nmap -sP -PE -R -v behaves differently with root/un-root Shain Singh (Aug 09)
- Re: nmap -sP -PE -R -v behaves differently with root/un-root Marc Ouwerkerk (Aug 09)
  - Re: nmap -sP -PE -R -v behaves differently with root/un-root Todd Haverkos (Aug 09)
- Message not available
  - Re: nmap -sP -PE -R -v behaves differently with root/un-root John Hunter (Aug 09)
    - Re: nmap -sP -PE -R -v behaves differently with root/un-root Shain Singh (Aug 09)
    - Re: nmap -sP -PE -R -v behaves differently with root/un-root _rob_d (Aug 09)
- Re: nmap -sP -PE -R -v behaves differently with root/un-root Martin T (Aug 09)
  - RE: nmap -sP -PE -R -v behaves differently with root/un-root Lehman, Jim (Aug 09)
    - Process hiding in 2.6 linux kernel lifel0ver t0mh3t (Aug 09)
    - Re: Process hiding in 2.6 linux kernel Claudiu Hulea (Aug 09)