- This topic has 16 replies, 11 voices, and was last updated 9 years, 3 months ago by
ev0wpnz.
-
AuthorPosts
-
-
October 18, 2011 at 11:30 pm #6930
blueaxis
ParticipantI scanned 5 hosts in my local network using basic nmap command.
#nmap ip-1, ip-2, ip-3, ip-4, ip-5
what I didn’t quite understand is at the end of the scan why did nmap reported it scanned 9 ip addresses.
Nmap done: 9 IP addresses (5 hosts up) scanned in 30.47 seconds
Any idea what’s going on here?
Appreciate your help.
-
October 19, 2011 at 12:28 am #43029
Dark_Knight
ParticipantTry using the -v option for more details…. You could also run a sniffer during the scan to exactly what is happening.
-
October 19, 2011 at 4:14 am #43030
hurtl0cker
ParticipantUse the Verbose output option using ‘-v’ command line flag or Increase the verbosity level using ‘-vv’
try using ‘–packet-trace’ command line flag, this option causes Nmap to print a summary of every packet it sends and receives. This can be extremely useful for debugging or understanding Nmap’s behavior.
-
October 19, 2011 at 11:17 am #43031
hayabusa
ParticipantOr to add to hurtl0cker’s packet trace thought, fire up Wireshark, and see what you’re actually sending / receiving from nmap, too. It’s a good way to learn, by seeing what your selected options are actually doing, under the covers.
-
October 19, 2011 at 1:08 pm #43032
blueaxis
ParticipantThanks everyone for your advise. I did try the verbose option.
It appears nmap is scanning 192.168.xx.0 ip address multiple times. I didn’t ask nmap to scan that host by the way. Not sure if that is the default behavior.
-
October 19, 2011 at 1:18 pm #43033
SephStorm
ParticipantGood learning experiment 😉
-
October 19, 2011 at 1:54 pm #43034
hayabusa
ParticipantSo, blueaxis… Let me ask you this, as you think about your nmap question:
What IS that 192.168.xx.0 address? (As if I don’t know ;)) Might help you understand the behavior a bit, down the road…
-
October 19, 2011 at 2:44 pm #43035
blueaxis
ParticipantIt appears that “.0” address would be a broadcast address. Feel free to correct me if that isn’t the case.
-
October 19, 2011 at 6:56 pm #43036
rattis
Participant.0 is more than likely the network address. network address is the first address in the block, the broadcast is the last.
-
October 20, 2011 at 1:39 am #43037
SephStorm
ParticipantThats correct, .0 generally represents the default class C network address. Unless the network is subnetted the broadcast address would be .254, right?
-
October 20, 2011 at 2:58 am #43038
eth3real
ParticipantI believe the broadcast address would be 192.168.xx.255
If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24happy hacking, nmap is a lot of fun and an amazing asset once you learn it. 🙂
-
October 20, 2011 at 1:20 pm #43039
blueaxis
ParticipantSome more updates on this.
This time I made sure wireshark is enabled while performing the nmap scan, to my strangeness 192.168.xx.0 doesn’t show up in the capture. It’s however displayed in the nmap output.
I will try it couple more times today and see if I can spot anything.
-
October 20, 2011 at 3:57 pm #43040
SephStorm
ParticipantIMO, Nmap is likely telling you something about the network itself. I havent tried it to see if this is normal, but in any case, you wont see any packets from .0, as it cant be assigned to network devices, nor can the broadcast address.
-
October 25, 2011 at 1:16 am #43041
idr0p
ParticipantMy guess if you look at captures.
you are scanning
x.0, x.1,x.2,x.3,x.4
nmap scans
x.1 – gets response
x.2 – gets response
x.3 – gets response
x.4 – gets response
x.0 – (network scan) gets response from x.1,x.2,x.3,x.4
Nmap now goes.. oohh more things to play with so it scans all the ips that respond.
x.1 – gets response
x.2 – gets response
x.3 – gets response
x.4 – gets response= 9 instances.
-
October 25, 2011 at 1:44 pm #43042
Triban
Participant@eth3real wrote:
I believe the broadcast address would be 192.168.xx.255
If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24unless you come across something like this: 192.168.0.0/27 >:(
Then your broadcast is 192.168.0.31 and network is 192.168.0.1 (I hate you CCNA book but some day I will finish you).
-
October 25, 2011 at 3:31 pm #43043
mambru
Participantunless you come across something like this: 192.168.0.0/27 Angry
Then your broadcast is 192.168.0.31 and network is 192.168.0.1
This is usually true, there are some cases where the network address works as broadcast tough
http://www.whitehats.ca/main/members/Jeff/gcia_assign_2/gcia_assign_2.html
http://www.netbsd.org/docs/guide/en/chap-net-practice.html#chap-net-practice-kernel-options
-
November 9, 2011 at 2:57 am #43044
ev0wpnz
ParticipantCan you provided us with a screen shot of a copy and paste of the command ran and the output. I think this would be much more helpful in diagnosing this issue.
-
-
AuthorPosts
- You must be logged in to reply to this topic.