.

nmap output interpretation?

<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Oct 18, 2011 6:30 pm

nmap output interpretation?

I scanned 5 hosts in my local network using basic nmap command.

#nmap ip-1, ip-2, ip-3, ip-4, ip-5

what I didn't quite understand is at the end of the scan why did nmap reported it scanned 9 ip addresses.

Nmap done: 9 IP addresses (5 hosts up) scanned in 30.47 seconds

Any idea what's going on here?

Appreciate your help.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Oct 18, 2011 7:28 pm

Re: nmap output interpretation?

Try using the -v option for more details.... You could also run a sniffer during the scan to exactly what is happening.
Last edited by Dark_Knight on Tue Oct 18, 2011 7:32 pm, edited 1 time in total.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

hurtl0cker

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 10:09 am

Location: WWW

Post Tue Oct 18, 2011 11:14 pm

Re: nmap output interpretation?

Use the Verbose output option using '-v' command line flag or Increase the verbosity level using '-vv'

try using '--packet-trace' command line flag, this option causes Nmap to print a summary of every packet it sends and receives. This can be extremely useful for debugging or understanding Nmap's behavior.
Last edited by hurtl0cker on Tue Oct 18, 2011 11:17 pm, edited 1 time in total.
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Oct 19, 2011 6:17 am

Re: nmap output interpretation?

Or to add to hurtl0cker's packet trace thought, fire up Wireshark, and see what you're actually sending / receiving from nmap, too.  It's a good way to learn, by seeing what your selected options are actually doing, under the covers.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Wed Oct 19, 2011 8:08 am

Re: nmap output interpretation?

Thanks everyone for your advise. I did try the verbose option.

It appears nmap is scanning 192.168.xx.0 ip address multiple times. I didn't ask nmap to scan that host by the way. Not sure if that is the default behavior.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Oct 19, 2011 8:18 am

Re: nmap output interpretation?

Good learning experiment  ;)
sectestanalysis.blogspot.com/‎
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Oct 19, 2011 8:54 am

Re: nmap output interpretation?

So, blueaxis...  Let me ask you this, as you think about your nmap question:

What IS that 192.168.xx.0 address?  (As if I don't know  ;))  Might help you understand the behavior a bit, down the road...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Wed Oct 19, 2011 9:44 am

Re: nmap output interpretation?

It appears that ".0" address would be a broadcast address. Feel free to correct me if that isn't the case.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Oct 19, 2011 1:56 pm

Re: nmap output interpretation?

.0 is more than likely the network address. network address is the first address in the block, the broadcast is the last.
OSWP, Sec+
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Oct 19, 2011 8:39 pm

Re: nmap output interpretation?

Thats correct, .0 generally represents the default class C network address. Unless the network is subnetted the broadcast address would be .254, right?
sectestanalysis.blogspot.com/‎
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Oct 19, 2011 9:58 pm

Re: nmap output interpretation?

I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24

happy hacking, nmap is a lot of fun and an amazing asset once you learn it. :)
Put that in your pipe and grep it!
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Thu Oct 20, 2011 8:20 am

Re: nmap output interpretation?

Some more updates on this.

This time I made sure wireshark is enabled while performing the nmap scan, to my strangeness 192.168.xx.0 doesn't show up in the capture. It's however displayed in the nmap output.

I will try it couple more times today and see if I can spot anything.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Oct 20, 2011 10:57 am

Re: nmap output interpretation?

IMO, Nmap is likely telling you something about the network itself. I havent tried it to see if this is normal, but in any case, you wont see any packets from .0, as it cant be assigned to network devices, nor can the broadcast address.
sectestanalysis.blogspot.com/‎
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Mon Oct 24, 2011 8:16 pm

Re: nmap output interpretation?

My guess if you look at captures.

you are scanning

x.0, x.1,x.2,x.3,x.4

nmap scans
x.1 - gets response
x.2 - gets response
x.3 - gets response
x.4 - gets response
x.0 - (network scan) gets response from x.1,x.2,x.3,x.4
Nmap now goes.. oohh more things to play with so it scans all the ips that respond.
x.1 - gets response
x.2 - gets response
x.3 - gets response
x.4 - gets response

= 9 instances.
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Oct 25, 2011 8:44 am

Re: nmap output interpretation?

eth3real wrote:I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24


unless you come across something like this: 192.168.0.0/27  >:(

Then your broadcast is 192.168.0.31 and network is 192.168.0.1 (I hate you CCNA book but some day I will finish you).
Certs: GCWN
(@)Dewser
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software