0

I am trying to learn more about Nmap but it seems like it can only really give any information if you're actually connected to the network you're scanning on. For example, a friend and I gave each other our public IP addresses to see what we can do with it, but even if you try to scan that IP address it only tells you it's online, it doesn't return open ports or mac addresses? So is Nmap pretty more useless unless you can get to the internal network?

Luc
  • 31,973
  • 8
  • 71
  • 135
  • You can scan remote machines, but the results will depend on how exposed that machine is. If only port 443 is exposed, you will only get answers for port 443. – The one who tests Sep 24 '22 at 04:57
  • 1
    Based on your example it looks like you don't just want to scan an arbitrary remote machine but a remote network behind NAT. Does this answer your question? [Scanning private IPs from outside network](/questions/118792), [Scan a computer behind NAT](/questions/140544/), [Nmap scanning computers behind a wireless modem](/questions/65465/), [Kali Linux + How to find information behind NAT](/questions/115859/). – Steffen Ullrich Sep 24 '22 at 05:03
  • Short answer: because you end up scanning the router, which only provides limited information. And MAC addresses would not be discovered anyway. I think your use of nmap would be enhanced with a little more knowledge of TCP/IP networking. – schroeder Sep 24 '22 at 13:34

1 Answers1

2

So is Nmap pretty more useless unless you can get to the internal network?

No, it was super useful! It answered the question of how exposed your system is on the internet. It found nothing, so it looks like you have no open ports. Great news!

it seems like it can only really give any information if you're actually connected to the network you're scanning

Well, if there is nothing but a black void, what do you expect an observer to say? Nmap cannot make bricks without clay. If the remote end does not answer to anything, what do you expect it to tell you? If there is no information to be had, no tool will be able to provide you with information unless it is making it up on the fly.


Did you let Nmap scan on all ports (-p-), UDP and TCP (-sU, -sS), and enable things like OS detection (-O) and service scans (-sV)? One reason why you're getting less information than you expected might be that you did not enable all the options. Note that some may take forever or be harmful to certain systems -- there is a reason not everything is turned on by default. Knowing what to enable in different situations* requires gaining a bit of experience with network scanning in general.

It could also be, but consumer routers typically don't do this, that the remote system detected there was a scan going on and (temporarily) blocked you.

* In your situation, with a regular consumer router and your systems sitting behind a stateful firewall, it is not weird that it sees literally nothing. If it doesn't respond to commonly offered internal services like DNS, NTP, UPNP, SIP, maybe a web management portal TCP port, etc., then you can enable all the options and let it scan for weeks but likely not get any result. You can be happy the systems responded to ping at all; not all routers reveal that they are online. (Personally I find it somewhat security through obscurity to not respond to ping, but that's another discussion.)

Luc
  • 31,973
  • 8
  • 71
  • 135
  • Is it possible to get a machine MAC address that's on another network? What about their local address? For example if I have the public IP can I figure out what their local IP is? – user283176 Sep 24 '22 at 05:37
  • @user283176 Please see my answer here for an overview of how the internet works: https://security.stackexchange.com/questions/1118/can-i-block-based-on-mac-address/18767#18767 – Luc Sep 24 '22 at 07:32