Re: Nmap Pingscan - ignore reset

[Daniel Miller <bonsaiviking () gmail com>]

Simon,

Thanks for the question. Nmap doesn't currently have an option for this,
but we are collecting ideas for detecting RST spoofing like this over at
Github [#595]. In the meantime, using other -P* options like -PE (ICMP Echo
Request) or -PA (TCP ACK) could help, depending on what the firewall will
actually respond to and let through. There is also the manual step of first
doing a minimal port scan (only 80 and 443, for example), then analyzing
the results to determine which responses come from the firewall. You can
then feed those to Nmap with --excludefile to avoid them, or feed the other
addresses with -iL to include them only.

Dan

[#595] https://github.com/nmap/nmap/issues/595

On Tue, Apr 25, 2017 at 6:40 AM, Simon Gfeller <simu () simuonline ch> wrote:

> Hello together,
>
> I had a problem with the pingscan already a few times when I had to
> discover hosts in a subnet. I use -PS with a few top ports like 80, 443 etc.
> But sometimes, if there is a firewall which sends tcp resets on specific
> ports even if there is no host, I have a lot of fals positives, because
> nmap recognises hosts with a tcp reset as online.
>
> Is there a way to ignore reset packages during a ping/discovery scan? If
> not, is it possible to add such an option or was it already discussed? Or
> do you know alternatives?
>
> Thank you!
>
> Best regards,
> Simon
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/