Why does NMAP report â??Host seems downâ? despite host responding to ping?

android-eve · 11-15-2011, 10:20 AM

I am trying to test a new CentOS 6 server on my tiny LAN. From another Linux (Ubuntu 10.04) host I type:

Code:

androideve@ubunbtu10:~$ nmap 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-15 09:31 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds

This is despite the fact that if I ping it manually, there isn't any problem:

Code:

androideve@ubunbtu10:~$ ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.161 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.138 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.147 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.131 ms

Why is this happening? How to fix this?

fukawi1 · 11-16-2011, 02:58 AM

Did you try using -PN?

Quote:

HOST DISCOVERY:
-PN: Treat all hosts as online -- skip host discovery

Code:

man nmap

android-eve · 11-16-2011, 08:29 AM

Quote:

Originally Posted by fukawi1

Did you try using -PN?

Thanks for this tip. I just tried it and NMAP responds that all "All 1000 scanned ports on 192.168.1.3 are filtered"

Code:

androideve@ubuntu10:~$ nmap -PN 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-16 09:20 EST
All 1000 scanned ports on 192.168.1.3 are filtered

Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds

I understand that this has to do with the firewall on the remote (scanned) host, but the main reason I am trying to use NMAP is to see which ports on the remote host are open and whether it is at all ping-able.

Well, I can ping it using 'ping' but not using NMAP. I find this very confusing.

Furthermore, the iptables firewall on the remote host has SSH checked as a Trusted Service ("accessible from all hosts and networks"). Why didn't NMAP detect this?

UPDATE: It turns out that when I last scanned the CentOS 6 remote host, it was in sleep mode. When I woke it up and tried NMAP again, I received:

Code:

android-eve@ubuntu10:~$ nmap -PN 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-16 11:11 EST
Interesting ports on 192.168.1.3:
Not shown: 999 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 4.97 seconds

So, at least I see some consistency between the firewall setting and what NMAP reports.

I am still confused by NMAP not reporting a perfectly ping-able host. If I were to rely on NMAP for verifying that my host is 100% stealthed, it would have mislead me.

What am I missing about the correct usage of NMAP?

lleb · 11-16-2011, 11:45 AM

that tells you the port 22 is closed and not open. it all depends on how the firewall is configured on the other end. you can also use nmap -P0 to get past the "ping issue"

for just testing a specific port nmap -p<port number here> IP will be much faster then just nmap -PN or -PO

fukawi1 · 11-17-2011, 12:53 AM

In my experience, and I am not a nmap guru by any means.
Filtered ports mean the firewall is rejecting packets

Closed ports, mean the firewall is dropping packets.

android-eve · 11-21-2011, 02:35 PM

Quote:

Originally Posted by fukawi1

Filtered ports mean the firewall is rejecting packets

Closed ports, mean the firewall is dropping packets.

It's actually the opposite.