4

When doing a vulnerability assessment on a large network, it seems general practice to determine which hosts on the network are live.

This can be done in various ways. From what I have read it is good to do some ICMP scans, perhaps use a vulnerability scanner that has a discovery component, and perhaps do some TCP/UDP scans to find hosts that don't respond to or block ICMP traffic.

I've run into a problem when doing TCP or UDP scans to determine if a host is alive or not.

Consider a sample network of 1000 hosts. Perhaps 50 will respond to ICMP traffic and can be considered live. Sometimes when doing a TCP/UDP scan, every host will be considered by nmap to be live, even if no ports are detected.

This is by using the -PN switch with nmap, which is necessary as otherwise hosts appear to be down and I do find additional live hosts with tcp ports open this way. It's just that most other hosts are also reported as being live when this isn't the case.

Is there a way to weed out false positive (i.e. hosts that report as up but have no ports open) for live hosts when using TCP or UDP scans?

Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
  • 1
    Not trying to be pedantic here, but by "false positives" do you mean that Nmap is saying that a host is up when it actually doesn't exist? Or do you mean that ports that are supposed to be closed are returned by Nmap as open? Both could mean different things altogether. – Nasrus Nov 14 '13 at 08:32
  • What kind of TCP scan do you use (how do you run nmap)? – buherator Nov 14 '13 at 15:04
  • @nasrus I was asking about hosts that nmap indicates are alive, when they don't seem to be. The ports thing was a side question, but I realize it should be a seperate question. – Sonny Ordell Nov 14 '13 at 15:27
  • @Buherator nmap -PN -sS -T4 targets -oA file --top-ports=100 – Sonny Ordell Nov 14 '13 at 15:33
  • 3
    @SonnyOrdell -PN causes every host to be treated as up. You can use -PR to ARP scan the local subnet. I suspect there are also some tricky firewalls in place, try -sT and experiment with -sA – buherator Nov 14 '13 at 15:53
  • @buherator I'm not always scanning on a local subnet. I know what PN does, but it is necessary sometimes without PN the host will appear to be down, yet with PN I will find some hosts with some TCP ports open. I'm just trying to find a way to weed out when nmap says almost *every* host is up. – Sonny Ordell Nov 14 '13 at 16:43
  • If you want to find out which IP addresses have a real switched-on machine associated with them, you need to investigate at Layer 2, which is the OSI layer where those associations actually take place. If you don't know this, you are not qualified to be doing a security assessment. – ruief Nov 15 '13 at 13:03
  • @ruief Cheers for the unhelpful comment. It isn't relevant when doing an external assessment over the internet though. If you don't understand why that is, you have some reading to do. – Sonny Ordell Nov 15 '13 at 15:29

5 Answers5

3

you can use the flag -PE, which performs a ICMP echo as an example:

nmap -sn -n -PE 192.168.1.1-255

or for a cleaner result

nmap -sn -n -PE 192.168.1.1-255 | grep report | cut -d" " -f5

bofall
  • 31
  • 2
1

This situation continues even after some time asked. I've been going through this for some time now and have to turn on debugging on the scans(pressing d repeatedly for the desired level and D to decrease to the desired level) to level three to see what is happening behind the scenes.

You can get port 21, 22, 80, 8080 when none of these are up on the hosts.

As per the nmap book, you have to use methods that make your scans stealthier.

Following on https://nmap.org/book/firewall-subversion.html and the articles before and after it on the nmap site gives you can an idea of the techniques available for use.

From the list on the nmap site I have used the following with good results:

--randomize-hosts

--scan-delay 1075ms

--source-port 53

These are not bullet-proof though since some better firewalls/IPS caught them and started giving open ports just like the others.

I've tested SYN scan on specific hosts -PS80,443,3389 and those get flagged quickly. I've also done the ACK scan on specific hosts such -PA80 and again, it gets flagged quickly as well. I had some luck with UDP-specific scans such as -PU53 or -PU161.

What worked well but would require a lot of time, is to lower your scan timing. You can either do that manually using minrtt or maxrtt, etc. or you choose -T1 or if you have some days' time you can use -T0.

Also what works well is dividing your scan target into fewer hosts, like five or ten hosts per scan.

Conclusion,try

nmap -sn -T0 -PU53 --scan-delay 1075ms --source-port 53 10.10.10.1-3
nassim
  • 141
  • 4
1

How do you weed out false positives on a non-local network in nmap? Ports. If the target has ports up, it's live. If not, it's unknown.

ARP scans are best for weeding out false positives, and you might need a pivot point on the non-local network to do the scans to take advantage of that.

Otherwise, if possible, you might need to perform a packet capture to see if the hosts are generating traffic. But, it has to be the right situation for this to work.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • ARP is the way to go. The machines on the subnet you're ARP scanning have to respond to you. They have no choice – k to the z Nov 14 '13 at 20:42
  • ARP is not useful accross the internet. Checking for ports doesn't answer my question. I need nmap to report on hosts up, without saying EVERY host is up. – Sonny Ordell Nov 15 '13 at 03:24
  • @SonnyOrdell It might not be the answer you want, but this is answer that is available. Run ARP on the non-local network using a pivot point, check for ports, and run a packet capture. As soon as you run -PN, you have to take what comes. – schroeder Nov 16 '13 at 20:48
  • For the types of assessments I'm doing ARP is simply irrelevant, and not an option. I'm going to go with what you said in the first part of your answer, and only consider hosts with ports as up. – Sonny Ordell Nov 17 '13 at 02:36
0

What I typically do for this depends on the time I have for the scan. If I'm looking for relatively fast discovery beyond basic nmap (ICMP + port 80 ACK) I do a discovery scan with a list of common TCP ports something like

nmap -sP -PS 21,22,23,53,80,443,500,3389 [input range]

If I've got a bit more time, I'll add in a no ping scan for the top-1000 ports and only mark one's as up if they have at least one port open.

Lastly if I have a lot of time and the ranges aren't too huge I'll try a 65k TCP scan with no ping. This can take a really long time to complete so only do it if you need to be sure you've got everything, also I'd recommend making use of nmap's timing flags to speed up the process (e.g. --max-rtt-timeout, --max-retries, --max-scan-delay )

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • How do you easily show the hosts with at least one port open from a no ping scan, since every host even those with no ports open is marked as up? – Sonny Ordell Dec 17 '13 at 09:21
  • I use a ruby script (https://github.com/raesene/TestingScripts/blob/master/nmapautoanalyzer.rb) which sorts out hosts with open ports from ones without open ports – Rory McCune Dec 17 '13 at 19:19
-3

You are definitely looking for the following nmap flags --

-T1 -n -Pn --open --version-intensity 0 -sUSV -p-

This is not how I run nmap (as it is too slow and not very verbose), but it solves the problem you are asking about best. Perhaps you should try asking better questions and using your tool(s) more efficiently. Check for some of my other questions and answers in this forum.

atdre
  • 18,885
  • 6
  • 58
  • 107