Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FW: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"

from [Steve A] Network Security [Permanent Link]
Subject: FW: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"
Date: Mon, 22 Nov 2004 22:33:05 -0000 

I have seen many different switches and ports offering ghost ports and host
IPs to the likes of NMAP before, 3COM and Linksys are very common.  

I think it has to do with the way they handle the request and in an effort
to keep the connection alive they reply on behalf of hosts before they
contact the host in question.  Thus you get an answer for a 'ghost' host.  

Solution:

Try scanning one of the addresses you know to be live and one you know to be
dead.  A comparison of the results usually reveals the likes of ports
21,53,80,110 as being present on ghost hosts.  Further examination will
reveal that where these ports are open on real hosts the returned values and
banners will be real and not those of the switch, thus you can also deduce
which ports are really open on live hosts (as they will have both the ghost
ports and their own reported by NMap)  

The easiest way I have found to work out which ones are real and which are
ghosts is to use NMap to sweep the subnet pinging a port your previous test
told you the switch does not answer to.  Thus if the ghost hosts have ports
80 and 110 open use something like (assuming you are inside the boundary and
in the example looking at windows):

        NMap -v -P0 -p137 x.y.z.1-255 > output_file.txt

You can select different ports to look for less and more secure hosts on
differing OSs.


Steve Armstrong
 
Steve@logicallysecure.org

Steve Armstrong
 
Steve Armstrong MSc MCSE MBCS CITP OPSA
 
This email and any associated attachments are intended for the above named
person(s) and may be confidential.  If you have received them in error you
must not copy or disclose them to 3rd parties, nor should you take any
action based on their contents;  the only action you should take is to
notify the emails' originator of the error by replying to the sender.
 
This email was scanned upon despatch by Norton AntiVirus.


-----Original Message-----
From: Erik Myrold [mailto:emyrold@gmail.com] 
Sent: 14 November 2004 03:10
To: pen-test@securityfocus.com
Subject: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"




I am having an issue with a nmap host discovery scan (nmap -sP x.x.x.x/24)
that is responding for 0 through broadcast 255 when there are only 30 hosts
on that subnet.

At this point I am not sure if it is the router or switch that is responding
to the ping sweep.

What does this usually mean?  There is no NAT and no filtering that I can
tell, but this is not my forte'...

There are other subnets I can ping sweep with no problems...

Thanks!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: CEH exam & hacking exposed, Wallisch, Philip
Next by Date:  Social Engineering ... ?, Bones
Previous by Thread:  nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)", Erik Myrold
Next by Thread:  RE: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)", Scott Stephenson
Indexes:  [Date] [Thread] [Top] [All Lists]