NMAP discovery scan reporting host offline, pinging the same host gets ICMP responses

I ran an nmap -sn scan on a host, and nmap reported the host as down. I then pinged the same host with ping and got ICMP responses. I’m confused, because I was sure that -sn among other things, did an ICMP echo request.

Output from my two commands:

~ $   nmap -sn 192.168.1.237   Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-16 09:35 BST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.00 seconds  ~ $   ping 192.168.1.237 PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data. 64 bytes from 192.168.1.237: icmp_seq=1 ttl=128 time=9.82 ms 64 bytes from 192.168.1.237: icmp_seq=2 ttl=128 time=5.25 ms 64 bytes from 192.168.1.237: icmp_seq=3 ttl=128 time=2.95 ms 64 bytes from 192.168.1.237: icmp_seq=4 ttl=128 time=9.10 ms ^C --- 192.168.1.237 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 2.957/6.785/9.826/2.810 ms 

Any ideas why NMAP could be confused? I’m running the scan from my Ubuntu 16.04 box, the target is a Windows 10.

nmap gives different results in two shells on the same computer

I’m running kali and metasploitable2 in Virtualbox, and have them connected via the host-only networking mode. I can ping and ssh from kali to metasploitable, and have assigned the following IP addresses: 192.168.56.1 (kali) and 192.168.56.13 (metasploitable). For some reason, I was unable to see most open ports when running a simple scan:

kali$   nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:04 CEST Nmap scan report for 198.168.56.13 Host is up (0.011s latency). Not shown: 997 filtered ports PORT     STATE SERVICE     VERSION 80/tcp   open  http? 443/tcp  open  https? 8080/tcp open  http-proxy? 

But if I open another shell and run the same command I get a very different result:

kali$   nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:05 CEST Nmap scan report for 192.168.56.13 Host is up (0.00029s latency). Not shown: 977 closed ports PORT     STATE SERVICE     VERSION 21/tcp   open  ftp         vsftpd 2.3.4 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp   open  telnet      Linux telnetd 25/tcp   open  smtp        Postfix smtpd 53/tcp   open  domain      ISC BIND 9.4.2 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp  open  rpcbind     2 (RPC #100000) 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp  open  exec        netkit-rsh rexecd --- snip ---- 

This is a potentially very much a beginner question but what could be giving these differences between the shells? The env variables were identical in both.

NMAP not showing all live hosts

So I have a live host on 192.168.0.151 on my local network. I know it’s life since I’ve set it up with a static IP and also if pinged I get a reply.

Now the weird thing is when I run nmap -sP 192.168.0.151 I can see that the host is up indeed, but when running nmap -sP 192.168.0.1/24 it goes straight pass it and shows that it’s down.. I’ve trying this same exact thing using arp and python module called scapy and I seem to consistently have the same issue where I cannot for some reason specify an IPv4 range to do an arp request on….

what i do in scapy is:

#/usr/bin/env python  import scapy.all as scapy  scappy.arping("192.168.0.1/24") 

How can Nmap bypass Windows Server firewall rules?

I need to block all communication (inbound/outbound) from server A to server B (all ports/all protocols). Server A should communicate with every machine except server B. I can’t place firewall rules on server B, so I have placed all rules on server A.

I have done the following on server A:

  • First I disabled all default firewall rules (inbound/outbound) on server A. (This is required.)
  • Then I created an inbound rule that allow access from anywhere.
  • Then I created an inbound rule that deny access to server B (all protocols/ports).
  • Then I created an outbound rule that deny access to server B (all protocols/ports).

I have tested that the access is restricted via ping from both servers, and it seemed to work. But then I installed Nmap on server A and scanned server B. My assumption was that Nmap would not be able to scan server B, as the firewall would block it. But Nmap is able to scan open ports of server B. How is that possible?

Windows Server 2008 is installed on both machines.

Nmap Windows 10 OS Detection

Recently I have been practicing penetration testing, and have come up to a standstill when trying to use nmap to detect os for a windows 10 machine. For the most part, it is not able to identify the machine as windows 10, but near guess is windows. I have also tried p0f and xprobe2 without any luck.

What else can I use to successfully detect a windows 10 machine on the network?

*From a blackbox perspective.

Thank you.

Finding how many filtered ports of a host that would be listed as “filtered” on Nmap

I just started working on nmap and was confused by this question. I’m unsure if I understood it correctly, so I appreciate your help with this.

Using Nmap, find how many ports are filtered in testphp.vulnweb.com are displayed as “filtered.”

From my understanding, it was asking me to find filtered ports that would be displayed as filtered. If i want to find how many filtered ports of a host that would be listed as “filtered”, would I use the -sA command for the firewall or is there a way to do that? I’ve tried -d2 but only found ALL filtered ports.

Please let me know if I’m overthinking it or the question should be interpreted differently. Thank you in advance!

Modified NMAP script: variable ‘host’ is not declared

I am modifying an nse script, ssl-cert.nse, which was already made for enumerating ssl certificates. I want to output the host ip and the port number in a line of the ssl certificate output. However, any time I try to make a call to host.ip or port.number, it appears that host and port are undeclared variables. How can I output the current host ip and port number of the detected ssl service. Preferably I could concatenate the host and port number inside of the certificate data output. Below is the area of code I have modified / added to in the ssl-cert.nse script file.

        local out1 = host.ip         local out2 = port.number          output = function(host, port)            out1 = host.targetName           return host.ip         end         output2 = function(host, port)           out2 = port.number           return port.number          end        if nmap.verbosity() > 0 then         lines[#lines + 1] = "Issuer: " .. stringify_name(cert.issuer)       end        if nmap.verbosity() > 0 then          lines[#lines + 1] = "Public Key type: " .. cert.pubkey.type .. " " .. out1 .. ":" .. out2         lines[#lines + 1] = "Public Key bits: " .. cert.pubkey.bits         lines[#lines + 1] = "Signature Algorithm: " .. cert.sig_algorithm       end        lines[#lines + 1] = "Not valid before: " ..       date_to_string(cert.validity.notBefore)       lines[#lines + 1] = "Not valid after:  " ..       date_to_string(cert.validity.notAfter)