nmap 的奇怪问题

kevin.tan

一.环境：
主机A：Routed-Server
[root@Routed-Server nmap-3.93]# hostname ;uname -r;rpm -qa |grep 'nmap'
Routed-Server
2.4.20-8
nmap-3.93-0.0.rh9.rf

# 主机名，核心版本，及nmap程序版本；
[root@Routed-Server nmap-3.93]# ifconfig |egrep '(ppp|eth)(0|1)|inet'
eth0      Link encap:Ethernet  HWaddr 000:F8:0F:F5:B3
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:0A:EB:551:72
          inet addr:192.168.1.11  Bcast:192.168.1.255  Mask:255.255.255.0
          inet addr:127.0.0.1  Mask:255.0.0.0
ppp0      Link encapoint-to-Point Protocol
          inet addr:219.133.xxx.xxx  P-t-P:219.133.xxx.xxx  Mask:255.255.255.255

# 网络连接情况
# eth0 连接 adsl modem,eth1　连接局域网；

主机B：rhce
[root@rhce ~]# hostname;uname -r;rpm -qa |grep 'nmap'
rhce.bllgroup.com
2.6.9-5.EL
nmap-3.70-1

# 主机名，内核版本，nmap程序版本
[root@rhce ~]# ifconfig |egrep 'eth(0|1)|inet '
eth0      Link encap:Ethernet  HWaddr 00:14:85:93:33:97
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr 00:0E:1F:50:E2:8C
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet addr:127.0.0.1  Mask:255.0.0.0

# eth0 接局域网192.168.1.0/24 ,eth1接局域网192.168.2.0/24

二.问题说明

在host B中使用程序nmap查看“局域网”或“外网”地址均能正常：
[root@rhce ~]# nmap -v www.sina.com.cn

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:11 CST
Initiating SYN Stealth Scan against 218.30.66.101 [1660 ports] at 16:11
Discovered open port 80/tcp on 218.30.66.101
Increasing send delay for 218.30.66.101 from 0 to 5 due to 62 out of 205 dropped probes since last increase.
The SYN Stealth Scan took 81.38s to scan 1660 total ports.
Host 218.30.66.101 appears to be up ... good.
Interesting ports on 218.30.66.101:
(The 1658 ports scanned but not shown below are in state: closed)
PORT    STATE    SERVICE
80/tcp  open     http
445/tcp filtered microsoft-ds

Nmap run completed -- 1 IP address (1 host up) scanned in 81.659 seconds
# 广域网地址

[root@rhce ~]# nmap 192.168.1.11

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:14 CST
Interesting ports on ftp.bllgroup.com (192.168.1.11):
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
111/tcp  open  rpcbind
882/tcp  open  unknown
1178/tcp open  skkserv
MAC Address: 00:0A:EB:551:72 (Shenzhen Tp-link Technology Co;)

Nmap run completed -- 1 IP address (1 host up) scanned in 0.448 seconds
# 局域网地址

随着在主机A运行nmap，问题出来了

[root@Routed-Server nmap-3.93]# ping -c 2 192.168.1.2;nmap 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.362 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.298 ms

--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.298/0.330/0.362/0.032 ms

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:09 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.249 seconds

# 可以看出，主机A 是可以ping 通地址192.168.1.2的，但是却无法nmap

[root@Routed-Server nmap-3.93]# nmap -v 192.168.1.10;nmap -v 192.168.1.11

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:11 CST
Initiating SYN Stealth Scan against 192.168.1.10 [1668 ports] at 16:11
Discovered open port 22/tcp on 192.168.1.10
Discovered open port 23/tcp on 192.168.1.10
Discovered open port 21/tcp on 192.168.1.10
Discovered open port 111/tcp on 192.168.1.10
Discovered open port 1178/tcp on 192.168.1.10
Discovered open port 882/tcp on 192.168.1.10
The SYN Stealth Scan took 0.24s to scan 1668 total ports.
Host 192.168.1.10 appears to be up ... good.
Interesting ports on 192.168.1.10:
(The 1662 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
111/tcp  open  rpcbind
882/tcp  open  unknown
1178/tcp open  skkserv

Nmap finished: 1 IP address (1 host up) scanned in 1.216 seconds
               Raw packets sent: 1668 (66.7KB) | Rcvd: 3342 (134KB)

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:11 CST
Initiating ARP Ping Scan against 192.168.1.11 [1 port] at 16:11
The ARP Ping Scan took 0.22s to scan 1 total hosts.
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.244 seconds
               Raw packets sent: 2 (84B) | Rcvd: 0 (0B)

# 甚至其eth1端口地址都无法nmap，只可对其eth0进行nmap操作；


*******************************************************
BTW，在主机A中，nmap工具换过多个版本，均出现如上情况
请教各位有经验的DX，帮小弟分析一下，先谢过：）

kevin.tan

在host A上使用nmap的感觉就是侦测包只从 eth0（接外网的端口） Output，故nmap局域网地址会失效；但是
[root@Routed-Server nmap-3.93]# nmap -e eth1 192.168.1.2

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-08-19 16:23 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.255 seconds
# 指定源端口地址，也一样显示失败：（
# 不知点解

晨想

看起来是被扫描的机器侦察到了。所以把你block了。。
你试试加 -P0(零) 参数

网络高手

Post by 终极幻想
看起来是被扫描的机器侦察到了。所以把你block了。。
你试试加 -P0(零) 参数

看来也是｀｀
　不过自己平时小心点吧｀｀