4

On an Ubuntu VMWare VM I ran:

sudo nmap -sP 192.168.0.*

This returned:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-28 22:46 PST

Host 192.168.0.0 is up (0.00064s latency).
Host 192.168.0.1 is up (0.00078s latency).
Host 192.168.0.2 is up (0.00011s latency).
.
.
.
Host 192.168.0.254 is up (0.00068s latency).
Host 192.168.0.255 is up (0.00066s latency).

So, nmap reported that every ip in the subnet 192.168.0.* was live. The problem is I only have 4 live machines on 192.168.0.* so why did nmap report every ip address was live?

The ip address of the Ubuntu VM is 192.168.28.131 From this VM I can ping the live systems on my internal subnet 192.168.0.* and get the expected response. And if I ping a machine that doesn't exist I can get no response as expected.

user9517
  • 115,471
  • 20
  • 215
  • 297
martianway
  • 49
  • 1
  • 1
  • 3

4 Answers4

8

try the --unprivileged parameter

..like nmap -sP --unprivileged 192.168.0.*

cyba84
  • 81
  • 1
  • 1
  • I don't know exactly why, but this did the trick. Without this many IPs are reported as UP even when I have nothing at that address and ping reports no response. – Luis Vazquez Aug 05 '20 at 22:28
2

Some firewalls can explain this behavior.

Instead of blocking icmp, they will respond to each echo request they receive.

In this case, it could be due to VMware and the type of virtual network you're using.

petrus
  • 5,297
  • 26
  • 42
  • The thing is, if I use the ping command from the VM it works as expected. Why would it behave one way for ping and another for nmap? – martianway Dec 29 '10 at 09:28
  • nmap sends not only icmp echo request, but tcp probes also : http://nmap.org/book/man-host-discovery.html this could explain the difference. – petrus Dec 29 '10 at 09:43
1

Short answer

Switch your network adapter mode to bridged.

or

disable TCP ACK scan and ICMP scan with --unprivileged flag.

Long answer

Note that -sP flag was changed to -sn flag.

-sn flag checks if target host is up the via following methods

  • nmap receives ICMP reply to ICMP ECHO_REQUEST request
  • nmap receives ICMP reply to ICMP TIMESTAMP_REQUEST request
  • nmap receives TCP SYN/ACK reply to TCP(port 443) SYN request
  • nmap receives TCP RST reply to TCP(port 80) ACK request

If you run nmap scan from VMware machine with network adapter in NAT mode three things may corrupt the scan results:

  1. ICMP TIMESTAMP_REQUEST reply packets got filtered -> you may miss live hosts.
  2. Network generates TCP RST reply packets to all TCP ACK requests -> all hosts seem to be up.
  3. Network responds to all ICMP requests -> all hosts seem to be up.

References

nmap man page -PA flag

So remote hosts should always respond with a RST packet, disclosing their existence in the process.

nmap man page -sA flag

Petr Javorik
  • 210
  • 2
  • 7
-3

Super quick scan, eliminate the need to return the FQDN (-n)

-sP -PS -n 10.0.0.0/8

Check this out to learn more - https://nmap.org/docs/discovery.pdf

SEAL Mindset
  • 1
  • Is this actually an answer to the question? I can't tell, suggesting that, at best, it's not a *good* answer. You may wish to do something about that. – HopelessN00b Feb 24 '16 at 06:38