• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

NMAP Output


Hello. Can anyone explain what this means when running NMAP scan to an ip range?

Host 192.168.5.0 seems to be a subnet broadcast address (returned 18 extra pings). Note -- the actual IP also responded.

I can grasp that 192.168.5.1 etc is a device. But what is .0 and what is "return 18 extra pings"?

Thank you. cee
0
ceeweb
Asked:
ceeweb
2 Solutions
 
ahoffmannCommented:
192.168.5.0 is a network not host IP,
 192.168.5.1 is the forst host IP in that network

> returned 18 extra pings
nmap detected in that network at least 18 unique host IPs
0
 
ceewebAuthor Commented:

Hello ahoffmann, I understand that .1 is a host. I'm curious at the output, it's not an important problem. Just trying to learn.

The output was from 0-10, ie scanning 10 hosts and there's around 80 odd hosts on the netowrk. I'm still confused what 18 extra pings means?

thank you. cee
0
 
ahoffmannCommented:
I guess you used nmap's -sS or -sT option, then your network, in particular the routers, are configured to return "ICMP host unreachable"for unknown IPs. If you care about the "extra pings" then try with option -PI
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
macker-Commented:
The first and last IP of a subnet are reserved.  The first IP is the network address and the last IP is the broadcast address.  On many networks, the network address will also act as a broadcast address.

If you have a typical "class C", or /24, network (denoted by netmask 255.255.255.0) then the first IP will be .0 (network address), first usable IP will be .1, and last IP will be .255 (broadcast address).

When you send packets, e.g. pings, to a broadcast address, it will be received by all the hosts on the subnet, and they will all respond.

nmap is reporting that when it sent the ping packet to .0, it received more than one reply... 18 more replies than it expected.  If it had only received one reply, even if it's from a different IP than it pinged, it would still be one request, one reply.  Since there's 18 extra replies, it's telling you that, and indicating that it may be a broadcast address.  At least one hosts did also respond to the IP of .0, hence the "Note -- the actual IP also responded."

Individual systems may choose to ignore broadcast packets, and as such, pinging a broadcast address is not a reliable method of finding all systems... but it can be useful.
0
 
richmoore44Commented:
It is worth noting that you'll only get this message if you are allowing nmap to ping servers to see if they are available before it runs the scan. You often find that machines do not have ping enabled, so you get better results if you use -P0 to disable the ping. This will have the side effect of stopping the message you refer to.

0
 
macker-Commented:
Disabling ping will also prevent O/S fingerprinting from work, and may result in waiting for results from a non-existant host.  Everything has a caveat. :)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now