Nmap Development mailing list archives
Re: -sP showing all hosts in request as up
From: Terry <td3201 () gmail com>
Date: Wed, 26 Aug 2009 11:00:44 -0500
On Wed, Aug 26, 2009 at 10:53 AM, David Fifield<david () bamsoftware com> wrote:
On Wed, Aug 26, 2009 at 10:38:43AM -0500, Terry wrote:On Wed, Aug 26, 2009 at 10:17 AM, David Fifield<david () bamsoftware com> wrote:On Wed, Aug 26, 2009 at 09:58:30AM -0500, Terry wrote:I am confused about some output I am seeing. Why would nmap -sP subnet/24 return every IP in the block as up when they clearly arent? This happens even on the local subnet. I have a feeling the answer is very easy I am just stuck.This can happen if a network device is faking ARP replies from nonexistent hosts. Try scanning with the --send-ip option. This thread has some more information. http://seclists.org/nmap-dev/2009/q3/0338.htmlThank you for your reply. Here's a little transcript of my problem after trying the -send-ip option: [root@omajelut01 sbin]# nmap -sP --send-ip --reason 10.0.1.112-120 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-26 10:33 CDT Host 10.0.1.112 is up, received echo-reply (0.0029s latency). Host 10.0.1.113 is up, received reset (0.00077s latency). Host 10.0.1.114 is up, received echo-reply (0.0019s latency). Host 10.0.1.115 is up, received reset (0.0011s latency). Host 10.0.1.116 is up, received echo-reply (0.0026s latency). Host 10.0.1.117 is up, received echo-reply (0.0024s latency). Host 10.0.1.118 is up, received echo-reply (0.0024s latency). Host 10.0.1.119 is up, received reset (0.00075s latency). Host 10.0.1.120 is up, received echo-reply (0.0025s latency). Nmap done: 9 IP addresses (9 hosts up) scanned in 3.30 seconds [root@omajelut01 sbin]# ping -c 1 -W 2 10.0.1.113 PING 10.0.1.113 (10.0.1.113) 56(84) bytes of data. --- 10.0.1.113 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0msNmap has a lot of ways to find out if a host is up, and ICMP echo (ping) is just one of them. It's possible that Nmap finds a host up when ping finds it down. Those hosts above that say "echo-reply" got a ping reply. The ones that say "reset" got a RST from Nmap's ACK to port 80 or SYN to port 443. It is possible that there is a firewall or something spoofing the RST replies. If you're sure those addresses are not really up you can try looking for the device that's doing that. David Fifield
It's all internal and the firewall isn't logging anything special. I am sure they are down. I want the fastest way to determine if something is listening on an IP. This is all internal so I will ensure that this scanning host has full access to everything it is scanning. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)
- Re: -sP showing all hosts in request as up Terry (Aug 26)
- Re: -sP showing all hosts in request as up David Fifield (Aug 26)