nmap - strange scan results

What's the best way to setup a home network? Why should I care about BGP?

nmap - strange scan results

Post by johnpolla on Sat Jul 09, 2011 12:54 pm
([msg=59599]see nmap - strange scan results[/msg])

Hi all, I'm currently doing some experiments with nmap in a Backtrack 5 VM environment. I am currently at a cafeteria and I'm connected to the (open :S) network at the shop with my Windows machine. In the BT VM I'm trying to scan my Windows machine (with another network adapter) but I'm getting unexpected results:


nmap -A Aggressive -sS -O 10.236.xxx.xxx

Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-09 12:11 CDT
Nmap scan report for Aggressive (67.215.xxx.xxx)
Host is up (0.17s latency).
rDNS record for 67.215.xxx.xxx: hit-nxdomain.opendns.com
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.19
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9, Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 14.97 ms hit-nxdomain.opendns.com (67.215.xxx.xxx)


10.236.xxx.xxx is my Windows machine but another machine in the network (67.215.xxx.xxx) is currently replying to my nmap scanning...could you help me to understand why?

thank you in advance,

Marco
johnpolla
New User
New User
 
Posts: 2
Joined: Sat Jul 09, 2011 12:48 pm
Blog: View Blog (0)


Re: nmap - strange scan results

Post by Rijnzael on Sun Jul 10, 2011 12:21 am
([msg=59608]see Re: nmap - strange scan results[/msg])

you use OpenDNS as your nameserver, and when nmap tries to get the PTR record for xxx.xxx.236.10.in-addr.arpa (the FQDN of IP addresses when attempting to get an A or CNAME record pointer to them), OpenDNS responds with the name hit-nxdomain.opendns.com as the A record corresponding to 10.236.xxx.xxx. The actual IP address which corresponds to hit-nxdomain.opendns.com is 67.215.65.132, which nmap resolves to provide you the most information possible.

Change your nameservers to 4.2.2.2 and 4.2.2.1 and you'll get the correct results (you'll get a blackhole response, since 10.x.x.x is private network address and isn't WAN routeable).

Before you continue learning about nmap, I'd recommend learning about IP addressing and how DNS resolution works, since you seem to think you need to hide your 10.x.x.x address.
Rijnzael
Poster
Poster
 
Posts: 164
Joined: Sun Apr 13, 2008 10:12 am
Location: 128.0.0.0/8
Blog: View Blog (0)


Re: nmap - strange scan results

Post by johnpolla on Sun Jul 10, 2011 12:17 pm
([msg=59620]see Re: nmap - strange scan results[/msg])

Rijnzael wrote:you use OpenDNS as your nameserver, and when nmap tries to get the PTR record for xxx.xxx.236.10.in-addr.arpa (the FQDN of IP addresses when attempting to get an A or CNAME record pointer to them), OpenDNS responds with the name hit-nxdomain.opendns.com as the A record corresponding to 10.236.xxx.xxx. The actual IP address which corresponds to hit-nxdomain.opendns.com is 67.215.65.132, which nmap resolves to provide you the most information possible.

Change your nameservers to 4.2.2.2 and 4.2.2.1 and you'll get the correct results (you'll get a blackhole response, since 10.x.x.x is private network address and isn't WAN routeable).

Before you continue learning about nmap, I'd recommend learning about IP addressing and how DNS resolution works, since you seem to think you need to hide your 10.x.x.x address.


Hi Rijnzael, thank you for your answer. I just tried to change my resolv.conf pointing to another DNS server as you suggested but I get the same results, I can't scan the my windows machine. Another hint: trying a netdiscover scan of the 10.0.0.1/8 network I am connected to (I know it's huge!), all the scanned IPs, connected or not, have the same MAC address, which is the MAC address of the router/firewall, I directly scan an IP range in which is contained my Windows machine IP but it returns the MAC address of the router/firewall, I'm a little confuse about this configuration...Furthermore the DHCP pool address is very strange (IPs are assigned apparently with no logic, in this moment there are 6 assigned IPs like 10.207.2.123 or 10.244.56.8 or 10.108.247.6 and so on)..how do you think this network is configured? Technically how is possible to inhibit communication between hosts on the same network? Thanks a lot, Marco
johnpolla
New User
New User
 
Posts: 2
Joined: Sat Jul 09, 2011 12:48 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests