Nmap Development mailing list archives
Re: -sP showing all hosts in request as up
From: David Fifield <david () bamsoftware com>
Date: Wed, 26 Aug 2009 09:53:45 -0600
On Wed, Aug 26, 2009 at 10:38:43AM -0500, Terry wrote:
On Wed, Aug 26, 2009 at 10:17 AM, David Fifield<david () bamsoftware com> wrote:On Wed, Aug 26, 2009 at 09:58:30AM -0500, Terry wrote:I am confused about some output I am seeing. Why would nmap -sP subnet/24 return every IP in the block as up when they clearly arent? This happens even on the local subnet. I have a feeling the answer is very easy I am just stuck.This can happen if a network device is faking ARP replies from nonexistent hosts. Try scanning with the --send-ip option. This thread has some more information. http://seclists.org/nmap-dev/2009/q3/0338.htmlThank you for your reply. Here's a little transcript of my problem after trying the -send-ip option: [root@omajelut01 sbin]# nmap -sP --send-ip --reason 10.0.1.112-120 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-26 10:33 CDT Host 10.0.1.112 is up, received echo-reply (0.0029s latency). Host 10.0.1.113 is up, received reset (0.00077s latency). Host 10.0.1.114 is up, received echo-reply (0.0019s latency). Host 10.0.1.115 is up, received reset (0.0011s latency). Host 10.0.1.116 is up, received echo-reply (0.0026s latency). Host 10.0.1.117 is up, received echo-reply (0.0024s latency). Host 10.0.1.118 is up, received echo-reply (0.0024s latency). Host 10.0.1.119 is up, received reset (0.00075s latency). Host 10.0.1.120 is up, received echo-reply (0.0025s latency). Nmap done: 9 IP addresses (9 hosts up) scanned in 3.30 seconds [root@omajelut01 sbin]# ping -c 1 -W 2 10.0.1.113 PING 10.0.1.113 (10.0.1.113) 56(84) bytes of data. --- 10.0.1.113 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Nmap has a lot of ways to find out if a host is up, and ICMP echo (ping) is just one of them. It's possible that Nmap finds a host up when ping finds it down. Those hosts above that say "echo-reply" got a ping reply. The ones that say "reset" got a RST from Nmap's ACK to port 80 or SYN to port 443. It is possible that there is a firewall or something spoofing the RST replies. If you're sure those addresses are not really up you can try looking for the device that's doing that. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)