Jump to content

Weird Nmap Ip Range Scan Issue


ErnestGoesToGitmo

Recommended Posts

I've been trying to find an empty range for a Sysadmin to use, but every range I scan comes up with IPs that should not be responding. I scanned a class B, and I'm not sure if it even finished, but it showed 3000 hosts as up, when all there should be is the oddball home router on a 172, if that.

I tried scanning X.X.0.0/16 (not literal X) using nmap -sn. Anybody have any idea of something I'm doing wrong (related to this issue :P)?

Thanks!

Link to comment
Share on other sites

What is your home gateway IP and what is its subnet mask. Tell me that first, then I can tell you what range to scan. If the mask is truly 255.255.0.0, then yes, a /16 would be correct, but more than likely, your home router should be 255.255.255.0 or further subnetted, and the mask would be 172.16.x.0/24 where X is the last octet before the network x.x.x.0 Are you at home, or on a corporate network. If at home, you could even be hitting the ISP's network, although that should not work if you are behind NAT on a router.

Edited by digip
Link to comment
Share on other sites

What is your home gateway IP and what is its subnet mask. Tell me that first, then I can tell you what range to scan. If the mask is truly 255.255.0.0, then yes, a /16 would be correct, but more than likely, your home router should be 255.255.255.0 or further subnetted, and the mask would be 172.16.x.0/24 where X is the last octet before the network x.x.x.0 Are you at home, or on a corporate network. If at home, you could even be hitting the ISP's network, although that should not work if you are behind NAT on a router.

Yeah, sorry, pertinent info... I'm a Net Tech for a college, and I'm trying to find an empty range. My reference to home routers was a professor or someone bring in a linksys or such, plugging into the uplink port and throwing out his own IPs inadvertently. If I scan 172.16.0.0/16, it should come up empty, or maybe just a few oddballs, but instead I get upwards of 3000 hosts as up, when we don't distribute anything in that range currently. Baffling to me. I figure I'm doing something wrong in NMAP, or we could have some weird, out of the way setting on some out of the way switch or something that is making the whole thing go stupid. I appreciate your reply.

Link to comment
Share on other sites

Do a traceroute between your machine and one of these IP addresses that are responding. Then look at the route the packet is taking, it may give you an idea of what is going on.

Link to comment
Share on other sites

10.71.0.0/16 is a HUGE subnet though. Its very possible for there to be that many nodes on one subnet(up to like 65,000 or more), but if you think there shouldn't be, maybe someone has mis-configured the network. I imagine its doing what its supposed to though.

Edited by digip
Link to comment
Share on other sites

Do a traceroute between your machine and one of these IP addresses that are responding. Then look at the route the packet is taking, it may give you an idea of what is going on.

Running a fresh scan to get a recent result to trace to, but when I tried pinging some of these results from a command prompt, they would not respond. Another piece of pertinent info... ;)

Link to comment
Share on other sites

10.71.0.0/16 is a HUGE subnet though. Its very possible for there to be that many nodes on one subnet(up to like 65,000 or more), but if you think there shouldn't be, maybe someone has mis-configured the network. I imagine its doing what its supposed to though.

Yeah, it takes a while to get the first batch of results. We don't have enough devices to warrant those results. It's possible we have something misconfigured, and finding what could be a real pain. I used the proper command, though, didn't I?

Link to comment
Share on other sites

Try "nmap -sC -sV -O -v --open 10.71.0.0/16". Case sensitive on the command switches. You may not have that many routers or switches, but you more than likely have that many hosts, as in clients on the network. You run any kind of wireless? If you do and you are using those subnet masks, you are leaving room for a shit ton of people to connect. If you want to limit the number of people who can connect, start subnetting and setting up vlans to segment off what people don't need access too. I would gather with some digging, you'll find your network is wide open and probably has numerous flaws, it not already compromised.

By the way, save that output in XML format, open the XML file with a browser to view easier.

nmap -sC -sV --open -v -oX scan.xml 10.71.0.0/16

or quick IP scan

nmap -sO --open -oX scan.xml 10.71.0.0/16

If you don't care about info on each device, nmap -sn -oX pingscan.xml 10.71.0.0/16

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...