The test for live hosts defaults to using ICMP with TCP. One of them is
giving the false reading, and likely the ICMP. You can use -PT to only use
TCP (if ICMP is the problem) or -PE (if TCP is the problem).
-P0 should work, but will take a long time. Limiting to a particular port
will help, but makes the effort much more manual to ensure everything gets
discovered.
-----Original Message-----
From: Steve A [mailto:pen.test.mail@logicallysecure.org]
Sent: Monday, November 22, 2004 2:33 PM
To: pen-test@securityfocus.com
Subject: FW: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"
I have seen many different switches and ports offering ghost ports and host
IPs to the likes of NMAP before, 3COM and Linksys are very common.
I think it has to do with the way they handle the request and in an effort
to keep the connection alive they reply on behalf of hosts before they
contact the host in question. Thus you get an answer for a 'ghost' host.
Solution:
Try scanning one of the addresses you know to be live and one you know to be
dead. A comparison of the results usually reveals the likes of ports
21,53,80,110 as being present on ghost hosts. Further examination will
reveal that where these ports are open on real hosts the returned values and
banners will be real and not those of the switch, thus you can also deduce
which ports are really open on live hosts (as they will have both the ghost
ports and their own reported by NMap)
The easiest way I have found to work out which ones are real and which are
ghosts is to use NMap to sweep the subnet pinging a port your previous test
told you the switch does not answer to. Thus if the ghost hosts have ports
80 and 110 open use something like (assuming you are inside the boundary and
in the example looking at windows):
NMap -v -P0 -p137 x.y.z.1-255 > output_file.txt
You can select different ports to look for less and more secure hosts on
differing OSs.
Steve Armstrong
Steve@logicallysecure.org
Steve Armstrong
Steve Armstrong MSc MCSE MBCS CITP OPSA
This email and any associated attachments are intended for the above named
person(s) and may be confidential. If you have received them in error you
must not copy or disclose them to 3rd parties, nor should you take any
action based on their contents; the only action you should take is to
notify the emails' originator of the error by replying to the sender.
This email was scanned upon despatch by Norton AntiVirus.
-----Original Message-----
From: Erik Myrold [mailto:emyrold@gmail.com]
Sent: 14 November 2004 03:10
To: pen-test@securityfocus.com
Subject: nmap "Host x.x.x.x appears to be up" ... "(256 hosts up)"
I am having an issue with a nmap host discovery scan (nmap -sP x.x.x.x/24)
that is responding for 0 through broadcast 255 when there are only 30 hosts
on that subnet.
At this point I am not sure if it is the router or switch that is responding
to the ping sweep.
What does this usually mean? There is no NAT and no filtering that I can
tell, but this is not my forte'...
There are other subnets I can ping sweep with no problems...
Thanks!
