Why nmap sometimes does not show device name? - nmap

Executing following command "sudo nmap -sP 123.00.0.00" depending on the network might return:
Nmap scan report for 123.00.0.00
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
or (let's assume it's the same IP but different network)
Nmap scan report for Tomas-Mac-Book (123.00.0.00)
Host is up (0.28s latency).
MAC Address: 84:38:35:XX:XX:XX (Apple)
I'm guessing this depends on the network settings. Is there a way to get the device name in cases where only IP is returned with the above command?

With the -sP option, NMAP makes a DNS request to resolve the names of the IPS's:
. By default, Nmap still does reverse-DNS resolution on the hosts to
learn their names
From NMAP Host discovery options
So, if the network DNS is able to resolve the names of the hosts, NMAP returns the network names of each IP.
To avoid this DNS resolution, if you add a 'n', it is disabled so -snP, would never try to make a DNS resolution.

Related

How does ping -a know the hostname of my Raspberry Pi 4?

My Raspberry Pi 4 B is connected (for the first time) to the WiFi of my PC (running Windows). Then the raspberry(ip) showed up in the list in Network Scanner of MobaXterm. What surprised me is that the list also shows the name of my Pi. And ping -a ip also shows the name.
How does this work?
When the Raspberry Pi connects to your WiFi it doesn't just get an IP address assigned. It also gets a host name assigned. It either sends its own host name to the DHCP server or the DHCP server assigns a host name.
Now, when you have an IP address, you can do a reverse search. Usually DNS works in the way that you give it a name and it returns the IP address. But there is also reverse search, give it an IP address and get a name back.
In your local network the DHCP server and your DNS resolver work together. Whenever a reverse search for a local IP address is made, the answer is fetched from the DHCP server. And the DHCP server answers with the host name from step one.
In most WiFi routers dnsmasq does this for you, on a Windows machine it is built into Windows.

nmap returning external IP's

I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of
nmap -sn 192.168.2.0/24
I typed
nmap -sn 192.168.2./24
Nmap returned external IP-addresses:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...
I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).
Probably neither of those is what you wanted, which is 192.168.2.0/24.
When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.
Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.
The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.

The difference between nmap option, scan types and ping options

scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.

iPhone: add entry to /etc/hosts without jailbreaking

For my development process I need to access a webserver which is behind a VPN and has no DNS entry.
What I was doing on 4.x was to edit /etc/hosts on the iPhone, and add it to the hosts file.
Now I'm on 5.0 beta, and don't want to jailbreak for now just for this purpose.
Is there a way I can add a line to /etc/hosts, just for development purposes (the final, distribution application does not need this hack), without jailbreaking? Can I use other means (declare a fake DNS entry by some unknown means at application launch, for example)?
EDIT: If you're willing to purchase a small license, I recommend using Charles Proxy, a web debugging proxy tool. It will also resolve domains from your local /etc/hosts, and it gives a lot of bonus features (i.e. inspect requests/responses and throttle network speeds). I only stumbled upon this tool from a WWDC video and I'm not affiliated with the product at all. I recommend reading Chris Ching's tutorial for iPhone and Charles Proxy to get you started.
To add to Ramon's answer, a way around it is to setup your local computer as a DNS server and have your iPhone point to your computer as a DNS server. This would also work for Android devices as well
The instructions are for Mac OSX via Homebrew:
brew install dnsmasq
dnsmasq is a lightweight dns server that will fallback to the original DNS server when it encounters an unknown domain
Add the line address=/.your.domain.com/10.0.0.5 to the file /usr/local/etc/dnsmasq.conf
The IP Address 10.0.0.5 is whatever the IP address assigned to your local computer by your router. You can find this via Network Utility (if you want to be fancy, you can assign a static IP to your local computer in your router)
sudo dnsmasq
This starts dnsmasq process, and it will listen on the DNS ports
Assign your local computer and your router as your DNS servers for your computer via System Preferences -> Network -> Advanced -> DNS Tab
You'll have two entries, one for your local computer (127.0.0.1) and one for your router. The reason why you include your router's IP is dnsmasq will fulfill unknown entries through the other known DNS servers. Without the router entry, you're whatever devices connected to you dnsmasq won't know how to connect to the internet.
Set your local computer's IP Address as your DNS Server your iPhone, go to Settings -> Wi-Fi -> Info icon for your connected router -> DNS
Some things to consider:
If you shut down your machine, your iPhone won't connect to the internet anymore. Make sure to reset your iPhone's DNS server to your router's IP
By default dnsmasq will look at your /etc/hosts, so if you had pointed your.domain.com to 127.0.0.1, your iPhone will resolve your.domain.com to 127.0.0.1, which means you won't connect to anything. To change this behaviour edit uncomment the #no-hosts line in the dnsmasq config.
Sources
http://www.davesouth.org/stories/how-to-set-up-dnsmasq-on-snow-leopard-for-local-wildcard-domains
Set up a real DNS entry, either by setting up a local DNS server on your wireless network, or by using a dynamic DNS service, or by adding an A record to a domain you control DNS for.
You can also set up dnsmasq (available from macports/brew), it acts as a DNS forwarder which allows you to set all kinds of alternative records.
You can then set up the DNS on the iphone/ipad to point to the box running DNSmasq, and any host on /etc/hosts on the dnsmasq box will be returned first. If not found, dnsmasq will send the query to the upstream DNS.
Also you can add SRV records to dnsmasq.conf:
srv-host=_sip._udp.devel.foo.com,devel.foo.com,5070
And many other niceties.

Is there any reliable tool to test the open ports of a given global ip address of a given server from the outside where i can test all ports at once?

I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.