I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of
nmap -sn 192.168.2.0/24
I typed
nmap -sn 192.168.2./24
Nmap returned external IP-addresses:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...
I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).
Probably neither of those is what you wanted, which is 192.168.2.0/24.
When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.
Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.
The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.
Related
I have just started learning about the use of nmap and while doing so, I am unable to find much information on a particular command.
This is the command I am using: nmap -sP 192.168.100.0/24 to scan for the list of connected devices on the network.
While the ip address used is the subnet ip, I am having trouble understanding what /24 does.
Can someone kindly share any insights to me?
/24 specifies the netmask to use -- 24 bits in this case, so a mask of 255.255.255.0. So it will scan all addresses from 192.168.100.0 to 192.168.100.255
/24 is the prefix length used to indicate the number of network bits of an IP address.
Refer this article from Cisco: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html
Also, before starting with nmap, you must have basic knowledge about computer networks to understand different types of scan.
Executing following command "sudo nmap -sP 123.00.0.00" depending on the network might return:
Nmap scan report for 123.00.0.00
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
or (let's assume it's the same IP but different network)
Nmap scan report for Tomas-Mac-Book (123.00.0.00)
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
I'm guessing this depends on the network settings. Is there a way to get the device name in cases where only IP is returned with the above command?
With the -sP option, NMAP makes a DNS request to resolve the names of the IPS's:
. By default, Nmap still does reverse-DNS resolution on the hosts to
learn their names
From NMAP Host discovery options
So, if the network DNS is able to resolve the names of the hosts, NMAP returns the network names of each IP.
To avoid this DNS resolution, if you add a 'n', it is disabled so -snP, would never try to make a DNS resolution.
scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.
I need to specify specific IP range for Nmap scan, for example:
192.168.1.140 - 192.168.3.255
If I do it like:
192.168.1-3.140-255
IP addresses like 192.168.2.7,192.168.3.7 won't be scanned (only 140-255 in 4th actet).
You will probably need to specify this as two different ranges. Nmap will accept as many target specifications as you like on the command line. Here's one way to do it:
nmap 192.168.1.140-255 192.168.2-3.0-255
Can't we just do this instead
nmap 192.168.1.0/24 192.168.2.0/24
Try this command:
nmap 192.168.1.140-192.168.3.255
I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.