I have just started learning about the use of nmap and while doing so, I am unable to find much information on a particular command.
This is the command I am using: nmap -sP 192.168.100.0/24 to scan for the list of connected devices on the network.
While the ip address used is the subnet ip, I am having trouble understanding what /24 does.
Can someone kindly share any insights to me?
/24 specifies the netmask to use -- 24 bits in this case, so a mask of 255.255.255.0. So it will scan all addresses from 192.168.100.0 to 192.168.100.255
/24 is the prefix length used to indicate the number of network bits of an IP address.
Refer this article from Cisco: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html
Also, before starting with nmap, you must have basic knowledge about computer networks to understand different types of scan.
Related
I am a programmer trying to get Rancher (Kubernetes) setup. Rancher's config file has a setting called service_cluster_ip_range.
It expects a CIDR notated subnet.
My network team gave me a "24" subnet. They told me that the IP address range I can use is 10.70.9.11 - 10.70.9.254.
As I understand things, when you say 10.70.9.0/24 you are referring to 10.70.9.1 - 10.70.9.254.
When I asked my network team if I could have addresses 1 - 10 as well I was told that they were reserved for network gear (and that the network would fail if they gave me those addresses).
So, my question is does CIDR deal with exclusions like this? Can you say something like 10.70.9.0/24 Exluding (.1 through .10) or something like that?
Or will have have to give up a bunch of addresses and do 10.80.9.128/25?
You cannot express exclusions with CIDR notation. You can give up bunch of IP addresses by using /25 range.
I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of
nmap -sn 192.168.2.0/24
I typed
nmap -sn 192.168.2./24
Nmap returned external IP-addresses:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...
I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).
Probably neither of those is what you wanted, which is 192.168.2.0/24.
When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.
Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.
The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.
I wrote a script that goes through all local IPs in the '0' network (192.168.0.*).
I use a loop with socket.gethostbyaddr(ip_modified_by_the_loop_each_time).
The loop returns me 3 devices their hostnames.
Now, I found that it does not find 4 devices (at least).
It does wind my Windows Laptop, not my Android Phone. It does find
one MacBook, not the iMac, not the other MacBook. It also does not
find any phone.
I know that all the devices are online and have an IPv4 address.
I can ping them very well, it responds just fine. But when I use socket.gethostbyaddr(ip_modified_by_the_loop_each_time) it throws an error.
I used a try:/except: statement to get around the error, but it still can not find my phone by IP and get the hostname, but I know it is there.
I am using python 3.3
Why is that happening, how to fix that?
Thank you.
gethostbyaddr tries to find out the hostname for a given IP address by using either locally stored information (i.e. /etc/hosts) or doing a reverse DNS lookup. The result does not depend on the host being online or not, they only depend on the availability of these information.
And these information can also not be trusted. For example the DNS operator of a domain could add the following records:
test.example.com A public.ip.of.test
public.ip.of.test PTR localhost.
In this case a lookup (gethostbyname) of test.example.com would return the IP address of this host while a reverse lookup (gethostbyaddr) would claim that the hostname is localhost. And if the PTR record would be missing gethostbyaddr would fail, even if the host is online.
See also wikipedia: reverse dns lookup.
Executing following command "sudo nmap -sP 123.00.0.00" depending on the network might return:
Nmap scan report for 123.00.0.00
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
or (let's assume it's the same IP but different network)
Nmap scan report for Tomas-Mac-Book (123.00.0.00)
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
I'm guessing this depends on the network settings. Is there a way to get the device name in cases where only IP is returned with the above command?
With the -sP option, NMAP makes a DNS request to resolve the names of the IPS's:
. By default, Nmap still does reverse-DNS resolution on the hosts to
learn their names
From NMAP Host discovery options
So, if the network DNS is able to resolve the names of the hosts, NMAP returns the network names of each IP.
To avoid this DNS resolution, if you add a 'n', it is disabled so -snP, would never try to make a DNS resolution.
I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.