Re: weird nmap problems

[Diman Todorov <diman () xover mud at>]

> By default, nmap will try to discover if the host is active before
> scanning, which (by default) uses the ICMP echo request / reply
> method.  If the host is not discovered, nmap will consider the host
> not up (and all ports on it filtered).  When you specified -P0, you
> requested nmap to skip the host discovery phase and perform the TCP
> connect scan (default scan type) on the port specified.  Clear as
> mud, eh? ;-)  So, the results you had in all cases are expected and
> nmap is performing correctly.

it is not so simple :)
By default nmap uses several methods to determine if the host is up:
In nmap.h you can find the line:
        #define DEFAULT_PING_TYPES PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK| 
PINGTYPE_ICMP_PING

If you don't specify P0 then nmap tries to connect to port (surprise  
surprise) 80.
If port 80 responds with a packet, then the host is determined to be up.
Additionally nmap tries an icmp ping.
The catch is that the massping function which handles host uppedness  
doesn't use
the same code to attempt connecting to port 80 like the function  
which port scans
port 80. If you don't specify P0, nmap tries to connect to port 80 to  
determine if the host is up.

I am not sure what happens from this point. It is possible that
the web server doesn't like being harassed twice in a short time  
interval. This
time interval is probably longer than nsock is willing to wait for a  
SYN ACK.
My reasoning however is mostly guesswork.

Joshua, I suggest that you try to reproduce the issue with a more  
recent nmap version.
You say that you're running 3.95 but 4.11 is the current stable  
version. You could also
run nmap with -vv -d --packet-trace to make it tell more verbosely  
what exactly it is
doing. I will be more likely to pinpoint your problem with more debug  
information :)

cheers
Diman



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev