-1

I used nmap to look up my Raspis on my local lan and I made a mistake defining the IP-Range. Instead of

nmap -sn 192.168.2.0/24

I typed

nmap -sn 192.168.2./24

Nmap returned external IP-addresses:

Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-14 10:09 CEST
Nmap scan report for dns1.hadcs.de (62.138.238.1)
Host is up (0.023s latency).
Nmap scan report for cmdb.hadcs.de (62.138.238.10)
Host is up (0.032s latency).
Nmap scan report for monitoring.hadcs.de (62.138.238.15)
Host is up (0.026s latency).
Nmap scan report for confluence.hadcs.de (62.138.238.16)
...

I want to understand what's happening here. In combination with nse-options this behavior may result in serious legal problems (at least in Germany).

straik
  • 1
  • 1

1 Answers1

0

Probably neither of those is what you wanted, which is 192.168.2.0/24.

When you enter 192.168.2./24, the final . makes the address be interpreted as a hostname to be looked up via DNS. Your ISP (or someone) is intercepting NXDOMAIN (name not found) responses and injecting its own answers. So instead of Failed to resolve "192.168.2." which is expected, you get an answer that is something like 62.138.238.16. Nmap then applies the CIDR bitmask to expand that into the network of 256 adjacent addresses.

Using 192.168.2/24, the base address is expanded via inet_aton according to some unusual rules detailed in the man page for that function. Specifically, it is expanded to 192.168.0.2, so you end up scanning the equivalent of 192.168.0.0/24, which is also not what you wanted to scan.

The solution is to always use all 4 octets of an IPv4 address to avoid odd interpretations.

bonsaiviking
  • 5,825
  • 1
  • 20
  • 35
  • Thank you, that was helpful. Yes, my ISP (Telecom) intercepts NXDOMAIN and injects ads masked as a searchpage. – straik Oct 16 '17 at 21:42