ErnestGoesToGitmo Posted May 23, 2012 Share Posted May 23, 2012 I've been trying to find an empty range for a Sysadmin to use, but every range I scan comes up with IPs that should not be responding. I scanned a class B, and I'm not sure if it even finished, but it showed 3000 hosts as up, when all there should be is the oddball home router on a 172, if that. I tried scanning X.X.0.0/16 (not literal X) using nmap -sn. Anybody have any idea of something I'm doing wrong (related to this issue :P)? Thanks! Quote Link to comment Share on other sites More sharing options...
digip Posted May 23, 2012 Share Posted May 23, 2012 (edited) What is your home gateway IP and what is its subnet mask. Tell me that first, then I can tell you what range to scan. If the mask is truly 255.255.0.0, then yes, a /16 would be correct, but more than likely, your home router should be 255.255.255.0 or further subnetted, and the mask would be 172.16.x.0/24 where X is the last octet before the network x.x.x.0 Are you at home, or on a corporate network. If at home, you could even be hitting the ISP's network, although that should not work if you are behind NAT on a router. Edited May 23, 2012 by digip Quote Link to comment Share on other sites More sharing options...
ErnestGoesToGitmo Posted May 23, 2012 Author Share Posted May 23, 2012 What is your home gateway IP and what is its subnet mask. Tell me that first, then I can tell you what range to scan. If the mask is truly 255.255.0.0, then yes, a /16 would be correct, but more than likely, your home router should be 255.255.255.0 or further subnetted, and the mask would be 172.16.x.0/24 where X is the last octet before the network x.x.x.0 Are you at home, or on a corporate network. If at home, you could even be hitting the ISP's network, although that should not work if you are behind NAT on a router. Yeah, sorry, pertinent info... I'm a Net Tech for a college, and I'm trying to find an empty range. My reference to home routers was a professor or someone bring in a linksys or such, plugging into the uplink port and throwing out his own IPs inadvertently. If I scan 172.16.0.0/16, it should come up empty, or maybe just a few oddballs, but instead I get upwards of 3000 hosts as up, when we don't distribute anything in that range currently. Baffling to me. I figure I'm doing something wrong in NMAP, or we could have some weird, out of the way setting on some out of the way switch or something that is making the whole thing go stupid. I appreciate your reply. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Share Posted May 23, 2012 Paste here exactly what type of scan you're trying to do. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted May 23, 2012 Share Posted May 23, 2012 Do a traceroute between your machine and one of these IP addresses that are responding. Then look at the route the packet is taking, it may give you an idea of what is going on. Quote Link to comment Share on other sites More sharing options...
ErnestGoesToGitmo Posted May 23, 2012 Author Share Posted May 23, 2012 Paste here exactly what type of scan you're trying to do. nmap -sn 10.71.0.0/16 Quote Link to comment Share on other sites More sharing options...
digip Posted May 23, 2012 Share Posted May 23, 2012 (edited) 10.71.0.0/16 is a HUGE subnet though. Its very possible for there to be that many nodes on one subnet(up to like 65,000 or more), but if you think there shouldn't be, maybe someone has mis-configured the network. I imagine its doing what its supposed to though. Edited May 23, 2012 by digip Quote Link to comment Share on other sites More sharing options...
ErnestGoesToGitmo Posted May 23, 2012 Author Share Posted May 23, 2012 Do a traceroute between your machine and one of these IP addresses that are responding. Then look at the route the packet is taking, it may give you an idea of what is going on. Running a fresh scan to get a recent result to trace to, but when I tried pinging some of these results from a command prompt, they would not respond. Another piece of pertinent info... ;) Quote Link to comment Share on other sites More sharing options...
ErnestGoesToGitmo Posted May 23, 2012 Author Share Posted May 23, 2012 10.71.0.0/16 is a HUGE subnet though. Its very possible for there to be that many nodes on one subnet(up to like 65,000 or more), but if you think there shouldn't be, maybe someone has mis-configured the network. I imagine its doing what its supposed to though. Yeah, it takes a while to get the first batch of results. We don't have enough devices to warrant those results. It's possible we have something misconfigured, and finding what could be a real pain. I used the proper command, though, didn't I? Quote Link to comment Share on other sites More sharing options...
digip Posted May 23, 2012 Share Posted May 23, 2012 (edited) Try "nmap -sC -sV -O -v --open 10.71.0.0/16". Case sensitive on the command switches. You may not have that many routers or switches, but you more than likely have that many hosts, as in clients on the network. You run any kind of wireless? If you do and you are using those subnet masks, you are leaving room for a shit ton of people to connect. If you want to limit the number of people who can connect, start subnetting and setting up vlans to segment off what people don't need access too. I would gather with some digging, you'll find your network is wide open and probably has numerous flaws, it not already compromised. By the way, save that output in XML format, open the XML file with a browser to view easier. nmap -sC -sV --open -v -oX scan.xml 10.71.0.0/16 or quick IP scan nmap -sO --open -oX scan.xml 10.71.0.0/16 If you don't care about info on each device, nmap -sn -oX pingscan.xml 10.71.0.0/16 Edited May 23, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.