HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 24 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow nmap output interpretation?
EH-Net
May 26, 2013, 01:02:16 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: nmap output interpretation?  (Read 7012 times)
0 Members and 1 Guest are viewing this topic.
blueaxis
Newbie
*
Offline Offline

Posts: 44


View Profile
« on: October 18, 2011, 06:30:42 PM »
I scanned 5 hosts in my local network using basic nmap command.

#nmap ip-1, ip-2, ip-3, ip-4, ip-5

what I didn't quite understand is at the end of the scan why did nmap reported it scanned 9 ip addresses.

Nmap done: 9 IP addresses (5 hosts up) scanned in 30.47 seconds

Any idea what's going on here?

Appreciate your help.
Logged
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #1 on: October 18, 2011, 07:28:26 PM »
Try using the -v option for more details.... You could also run a sniffer during the scan to exactly what is happening.
« Last Edit: October 18, 2011, 07:32:36 PM by Dark_Knight » Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
hurtl0cker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #2 on: October 18, 2011, 11:14:42 PM »
Use the Verbose output option using '-v' command line flag or Increase the verbosity level using '-vv'

try using '--packet-trace' command line flag, this option causes Nmap to print a summary of every packet it sends and receives. This can be extremely useful for debugging or understanding Nmap's behavior.
« Last Edit: October 18, 2011, 11:17:48 PM by hurtl0cker » Logged
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee
hayabusa
Hero Member
*****
Offline Offline

Posts: 1633



View Profile
« Reply #3 on: October 19, 2011, 06:17:39 AM »
Or to add to hurtl0cker's packet trace thought, fire up Wireshark, and see what you're actually sending / receiving from nmap, too.  It's a good way to learn, by seeing what your selected options are actually doing, under the covers.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
blueaxis
Newbie
*
Offline Offline

Posts: 44


View Profile
« Reply #4 on: October 19, 2011, 08:08:15 AM »
Thanks everyone for your advise. I did try the verbose option.

It appears nmap is scanning 192.168.xx.0 ip address multiple times. I didn't ask nmap to scan that host by the way. Not sure if that is the default behavior.
Logged
SephStorm
Hero Member
*****
Offline Offline

Posts: 530


View Profile WWW
« Reply #5 on: October 19, 2011, 08:18:34 AM »
Good learning experiment  Wink
Logged
Support my hactivities.
http://www.cafepress.com/TRUEHacker
hayabusa
Hero Member
*****
Offline Offline

Posts: 1633



View Profile
« Reply #6 on: October 19, 2011, 08:54:47 AM »
So, blueaxis...  Let me ask you this, as you think about your nmap question:

What IS that 192.168.xx.0 address?  (As if I don't know  Wink)  Might help you understand the behavior a bit, down the road...
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
blueaxis
Newbie
*
Offline Offline

Posts: 44


View Profile
« Reply #7 on: October 19, 2011, 09:44:40 AM »
It appears that ".0" address would be a broadcast address. Feel free to correct me if that isn't the case.
Logged
chrisj
Hero Member
*****
Offline Offline

Posts: 1163


View Profile WWW
« Reply #8 on: October 19, 2011, 01:56:32 PM »
.0 is more than likely the network address. network address is the first address in the block, the broadcast is the last.
Logged
OSWP, Sec+
SephStorm
Hero Member
*****
Offline Offline

Posts: 530


View Profile WWW
« Reply #9 on: October 19, 2011, 08:39:00 PM »
Thats correct, .0 generally represents the default class C network address. Unless the network is subnetted the broadcast address would be .254, right?
Logged
Support my hactivities.
http://www.cafepress.com/TRUEHacker
eth3real
Sr. Member
****
Offline Offline

Posts: 309



View Profile WWW
« Reply #10 on: October 19, 2011, 09:58:22 PM »
I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24

happy hacking, nmap is a lot of fun and an amazing asset once you learn it. Smiley
Logged
Put that in your pipe and grep it!
blueaxis
Newbie
*
Offline Offline

Posts: 44


View Profile
« Reply #11 on: October 20, 2011, 08:20:38 AM »
Some more updates on this.

This time I made sure wireshark is enabled while performing the nmap scan, to my strangeness 192.168.xx.0 doesn't show up in the capture. It's however displayed in the nmap output.

I will try it couple more times today and see if I can spot anything.
Logged
SephStorm
Hero Member
*****
Offline Offline

Posts: 530


View Profile WWW
« Reply #12 on: October 20, 2011, 10:57:46 AM »
IMO, Nmap is likely telling you something about the network itself. I havent tried it to see if this is normal, but in any case, you wont see any packets from .0, as it cant be assigned to network devices, nor can the broadcast address.
Logged
Support my hactivities.
http://www.cafepress.com/TRUEHacker
idr0p
Newbie
*
Offline Offline

Posts: 49


View Profile
« Reply #13 on: October 24, 2011, 08:16:23 PM »
My guess if you look at captures.

you are scanning

x.0, x.1,x.2,x.3,x.4

nmap scans
x.1 - gets response
x.2 - gets response
x.3 - gets response
x.4 - gets response
x.0 - (network scan) gets response from x.1,x.2,x.3,x.4
Nmap now goes.. oohh more things to play with so it scans all the ips that respond.
x.1 - gets response
x.2 - gets response
x.3 - gets response
x.4 - gets response

= 9 instances.
Logged
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
3xban
Hero Member
*****
Offline Offline

Posts: 608


View Profile WWW
« Reply #14 on: October 25, 2011, 08:44:03 AM »
Quote from: eth3real on October 19, 2011, 09:58:22 PM
I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24

unless you come across something like this: 192.168.0.0/27  Angry

Then your broadcast is 192.168.0.31 and network is 192.168.0.1 (I hate you CCNA book but some day I will finish you).
Logged
Certs: GCWN
(@)Dewser
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.061 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.