Nmap Development mailing list archives

Re: Odd scanning error

From: David Fifield <david () bamsoftware com>
Date: Sun, 19 Oct 2008 19:03:26 -0600

On Wed, Oct 01, 2008 at 10:19:08AM -0600, Kevin Nault wrote:

I am using nmap version 4.76 on Windows XP (SP 3, fully up-to-date as of 30
Sept '08) on an HP/Compaq nx8230 laptop with a Broadcom 5700-series Ethernet
NIC and an Intel 2200BG wifi NIC.

Any network scan I do returns every address (empty or full) as having a
Lanner Electronics ethernet card with a MAC address of 00:90:0B:0D:72:6F --
whether the device exists or not, responds or not, and regardless of what
NIC and MAC the device actually has.  Every address (whether a device exists
there or not) is also reported as having TCP port 1720 (H.323/Q.931)
open|filtered.  If I don't include 1720 in the TCP port list, all ports
report as "filtered".  Devices which do exist report their port lists
accurately, though 1720 will be added to the list if it is scanned for.

I have a custom-built computer physically next to this one, plugged into the
next port on the same switch, with the same OS, running nmap 4.20 that does
not do this -- MAC addresses, the absense of devices, and the state of port
1720 are reported accurately.

The only IDS/IPS device on this network is a SonicWall firewall running
current software, but its MAC is 00:06:B1:XX:XX:XX (different last three
bytes from the Lanner address above).

I love nmap and use it at least weekly.  Help?


This is indeed a strange error. Can you send me or Fyodor a scan log
using the options -d3 --packet-trace?

Does it happen with both the wired and wireless NICs, or nust one of
them?

With TCP scans, the open|filtered state is usually only possible with
FIN, NULL, and Xmas scans. Getting it with a SYN scan would point to a
bug in Nmap.

My best guess is that there's some software on the Windows XP machine
causing this. You could try uninstalling Nmap, then reinstalling version
4.20 from http://nmap.org/dist-old/nmap-4.20-setup.exe. Another thing,
which you shouldn't bother doing unless you have a live CD handy, is to
boot the XP machine with a GNU/Linux live CD and try running Nmap under
that. If it doesn't give the strange behavior then it points to a
problem with the XP setup.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Odd scanning error Kevin Nault (Oct 01)
- Re: Odd scanning error David Fifield (Oct 19)
  - Re: Odd scanning error Kevin Nault (Oct 21)