nmap output interpretation?

Viewing 16 reply threads
  • Author
    Posts
    • #6930
      blueaxis
      Participant

      I scanned 5 hosts in my local network using basic nmap command.

      #nmap ip-1, ip-2, ip-3, ip-4, ip-5

      what I didn’t quite understand is at the end of the scan why did nmap reported it scanned 9 ip addresses.

      Nmap done: 9 IP addresses (5 hosts up) scanned in 30.47 seconds

      Any idea what’s going on here?

      Appreciate your help.

    • #43029
      Dark_Knight
      Participant

      Try using the -v option for more details…. You could also run a sniffer during the scan to exactly what is happening.

    • #43030
      hurtl0cker
      Participant

      Use the Verbose output option using ‘-v’ command line flag or Increase the verbosity level using ‘-vv’

      try using ‘–packet-trace’ command line flag, this option causes Nmap to print a summary of every packet it sends and receives. This can be extremely useful for debugging or understanding Nmap’s behavior.

    • #43031
      hayabusa
      Participant

      Or to add to hurtl0cker’s packet trace thought, fire up Wireshark, and see what you’re actually sending / receiving from nmap, too.  It’s a good way to learn, by seeing what your selected options are actually doing, under the covers.

    • #43032
      blueaxis
      Participant

      Thanks everyone for your advise. I did try the verbose option.

      It appears nmap is scanning 192.168.xx.0 ip address multiple times. I didn’t ask nmap to scan that host by the way. Not sure if that is the default behavior.

    • #43033
      SephStorm
      Participant

      Good learning experiment  😉

    • #43034
      hayabusa
      Participant

      So, blueaxis…  Let me ask you this, as you think about your nmap question:

      What IS that 192.168.xx.0 address?  (As if I don’t know  ;))  Might help you understand the behavior a bit, down the road…

    • #43035
      blueaxis
      Participant

      It appears that “.0” address would be a broadcast address. Feel free to correct me if that isn’t the case.

    • #43036
      rattis
      Participant

      .0 is more than likely the network address. network address is the first address in the block, the broadcast is the last.

    • #43037
      SephStorm
      Participant

      Thats correct, .0 generally represents the default class C network address. Unless the network is subnetted the broadcast address would be .254, right?

    • #43038
      eth3real
      Participant

      I believe the broadcast address would be 192.168.xx.255

      If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
      # nmap 192.168.xx.0/24

      happy hacking, nmap is a lot of fun and an amazing asset once you learn it. 🙂

    • #43039
      blueaxis
      Participant

      Some more updates on this.

      This time I made sure wireshark is enabled while performing the nmap scan, to my strangeness 192.168.xx.0 doesn’t show up in the capture. It’s however displayed in the nmap output.

      I will try it couple more times today and see if I can spot anything.

    • #43040
      SephStorm
      Participant

      IMO, Nmap is likely telling you something about the network itself. I havent tried it to see if this is normal, but in any case, you wont see any packets from .0, as it cant be assigned to network devices, nor can the broadcast address.

    • #43041
      idr0p
      Participant

      My guess if you look at captures.

      you are scanning

      x.0, x.1,x.2,x.3,x.4

      nmap scans
      x.1 – gets response
      x.2 – gets response
      x.3 – gets response
      x.4 – gets response
      x.0 – (network scan) gets response from x.1,x.2,x.3,x.4
      Nmap now goes.. oohh more things to play with so it scans all the ips that respond.
      x.1 – gets response
      x.2 – gets response
      x.3 – gets response
      x.4 – gets response

      = 9 instances.

    • #43042
      Triban
      Participant

      @eth3real wrote:

      I believe the broadcast address would be 192.168.xx.255

      If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
      # nmap 192.168.xx.0/24

      unless you come across something like this: 192.168.0.0/27  >:(

      Then your broadcast is 192.168.0.31 and network is 192.168.0.1 (I hate you CCNA book but some day I will finish you).

    • #43043
      mambru
      Participant

      unless you come across something like this: 192.168.0.0/27  Angry

      Then your broadcast is 192.168.0.31 and network is 192.168.0.1

      This is usually true, there are some cases where the network address works as broadcast tough

      http://www.whitehats.ca/main/members/Jeff/gcia_assign_2/gcia_assign_2.html

      http://www.netbsd.org/docs/guide/en/chap-net-practice.html#chap-net-practice-kernel-options

    • #43044
      ev0wpnz
      Participant

      Can you provided us with a screen shot of a copy and paste of the command ran and the output. I think this would be much more helpful in diagnosing this issue.

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?