I have some trouble advancing in the HTB-academy. Sometimes when I spawn a machine I get IP’s with a port like 32686. Since the machine seems to run on that port I don’t really know how to do a nmap scan. I tried scanning every port with just the IP and scanning the port that is given to me. In both cases I get
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.31 seconds
What @xtal said is 100% correct. I’ll elaborate a bit though.
In order to understand this behavior you have to understand all parts that influence this.
Firewall configuration of the machine.
As you may know, a firewall can be configured to block certain types of packets. You can set a block on only tcp, only udp, both, icmp, …
It’s perfectly possible for us to allow (for example), an SSH TCP connection on port 22, but to block all UDP traffic.
Nmap’s host detection mechanism.
The reason that nmap suggests you to use the Pn (No Ping) flag, is because it sent an ICMP ping request to the host you specified, and the packet never returned. (e.g.: the host is not up, or is blocking or dropping ICMP packets).
If you do not specify -Pn, nmap will first try to ping the host, and only IF it is up, it will proceed to scan for the specified ports. This is to save time when scanning large subnets.
Let’s say you scan a /16 subnet and only 10 hosts are online, nmap will try to ping all 65536 hosts in the subnet, and it will only perform service detection (or other scans), on the hosts that returned the ping.
Because your host is not responding to a ping, nmap suggests that if you are certain it is up, you can skip the host ping-check by specifying the -Pn flag.
One example to scan every port on the host you would be targetting, regardless of ping-responses would be:
nmap -sS -sV -Pn [host-ip] -p 1-65535
This means:
Perform a SYN Scan (-sS)
Do Version detection (-sV) Regardless of Ping responses (-Pn)
On ports 1-65535 (-p 1-65535)
It could happens if you scan a router, but it must not happen in all situations.
For example a nmap scan (all TCP ports, default scripts scan, version identification) of a router which connects the LAN to the ISP network done from a box inside the LAN.
root@Box3:~# nmap -p- -sC -sV 192.168.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-01 09:16 CEST
Nmap scan report for 192.168.0.1
Host is up (0.0036s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.78
| dns-nsid:
|_ bind.version: dnsmasq-2.78
80/tcp open http NET-DK httpd 1.0 (Compal CH7465LG-ZG cable modem)
| http-title: Site doesn't have a title (text/html).
|_Requested resource was ../common_page/login.html
|_http-trane-info: Problem with XML parsing of /evox/about
5000/tcp open upnp MiniUPnP 1.9 (Compal Broadband Networks; UPnP 1.1)
Service Info: OS: Linux 2.6.39.3; Device: broadband router; CPE: cpe:/h:compal:ch7465lg-zg, cpe:/o:linux:linux_kernel:2.6.39.3
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 402.93 seconds
In this case the nmap scan shows useful and correct information of the router.
The nmap scan identifies that the device is a router “Compal CH7465LG-ZG cable modem” and “Device: broadband router”.