Nmap Development mailing list archives
Re: Don't know if this is a bug or not.
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 12 Jul 2009 07:45:48 +0000
On Thu, 9 Jul 2009 16:30:39 -0400 or thereabouts "Rick Rambo" <RamboRL () Booth-Assoc com> wrote:
(using Zenmap 4.90RC1) While scanning our public facing IP range, I got a return on an IP address I know is not used. I re-scanned that IP with an Intense scan with TCP. That scan identified a Dlink DWL-2100AP wireless access point. T1 from ISP to their single port router. -> single cable to Bay Stack hub. Bay hub connects our outward facing devices. All cables out of hub are accounted for. I am emailing our ISP to see if there is possibly a piece of equipment at their premises, but I would doubt that would be the case. I did the original scanning with the Version 4 beta I had installed. Is it possible this is a "false positive"? I've included the scan results xml file. .confused .rick.. -- Rick Rambo
Rick, I'm a little confused by your question. To answer your subject line, no, what you presented does not look like any sort of bug in Nmap. If you were asking if there is a chance that there really isn't any machine at that IP address, yes, a slim chance, I'll explain later. If you are asking if the the OS detection results that say the device is a "Dlink DWL-2100AP" really is true, no, that detection could easily be wrong since there wasn't enough information for a good quality test. So first, it sounds like you are confused as to why Nmap even said that this host is up. You host discovery with "-PE -PA21,23,80,3389" and Nmap said the host is up. We don't know which of those probes though triggered a response so first you should figure out what is triggering the host up by doing a ping scan with --reason like so: $ sudo nmap -sP -T4 -v -PE -PA21,23,80,3389 67.141.231.231 Instead of just telling you the host is up, Nmap will tell you which prob successfully determined that. There is a slim chance that there really isn't a host there. In that case, what would be happening is that there is some other networking device between you and wherever that IP routes to that is responding in a way that make Nmap think a host is there. It isn't terribly uncommon for various network middleboxes to do things like this. Notice in you scan that all ports 1-65535 came back as filtered. When you do OS detection, you really need at least one open and one closed port. It seems like OS detection got some response from the host but whatever the response is, it could have been the same network effect that showed the host as up (if it isn't really there). You'd do best to run this scan again using at least debugging 2 (use the -d2 flag) to get an idea of what is coming back to you. You can also look at the OS fingerprint and see what probes illicited a response. If you are feeling really adventurous, you can even re-run the scan with --packet-trace to see every probe sent and received. Regards, Brandon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Don't know if this is a bug or not. Rick Rambo (Jul 11)
- Re: Don't know if this is a bug or not. Brandon Enright (Jul 12)