Trouble doing Nmap scans

Hello everyone

I have some trouble advancing in the HTB-academy. Sometimes when I spawn a machine I get IP’s with a port like 32686. Since the machine seems to run on that port I don’t really know how to do a nmap scan. I tried scanning every port with just the IP and scanning the port that is given to me. In both cases I get

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.31 seconds

I don’t really know what to do now

Hello GFTA1408.

The tool nmap is typical used to find open ports on a machine. (nmap can also be used to find machines and identify services.)

If you have an IP number and a port number you don’t need to run nmap for port scanning. You now the port, you don’t need to search an open port.

You can use nmap to identify the service behind the port.

Best regards

What @xtal said is 100% correct. I’ll elaborate a bit though.

In order to understand this behavior you have to understand all parts that influence this.

  1. Firewall configuration of the machine.
    As you may know, a firewall can be configured to block certain types of packets. You can set a block on only tcp, only udp, both, icmp, …
    It’s perfectly possible for us to allow (for example), an SSH TCP connection on port 22, but to block all UDP traffic.

  2. Nmap’s host detection mechanism.
    The reason that nmap suggests you to use the Pn (No Ping) flag, is because it sent an ICMP ping request to the host you specified, and the packet never returned. (e.g.: the host is not up, or is blocking or dropping ICMP packets).
    If you do not specify -Pn, nmap will first try to ping the host, and only IF it is up, it will proceed to scan for the specified ports. This is to save time when scanning large subnets.

Let’s say you scan a /16 subnet and only 10 hosts are online, nmap will try to ping all 65536 hosts in the subnet, and it will only perform service detection (or other scans), on the hosts that returned the ping.

Because your host is not responding to a ping, nmap suggests that if you are certain it is up, you can skip the host ping-check by specifying the -Pn flag.

One example to scan every port on the host you would be targetting, regardless of ping-responses would be:

nmap -sS -sV -Pn [host-ip] -p 1-65535

This means:
Perform a SYN Scan (-sS)
Do Version detection (-sV)
Regardless of Ping responses (-Pn)
On ports 1-65535 (-p 1-65535)

Hope this helps!

1 Like

it happens when you try to scan a router


in my case I scanned the first ip address of the network which was the router

It could happens if you scan a router, but it must not happen in all situations.

For example a nmap scan (all TCP ports, default scripts scan, version identification) of a router which connects the LAN to the ISP network done from a box inside the LAN.

root@Box3:~# nmap -p- -sC -sV 192.168.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-01 09:16 CEST
Nmap scan report for 192.168.0.1
Host is up (0.0036s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
53/tcp   open  domain  dnsmasq 2.78
| dns-nsid: 
|_  bind.version: dnsmasq-2.78
80/tcp   open  http    NET-DK httpd 1.0 (Compal CH7465LG-ZG cable modem)
| http-title: Site doesn't have a title (text/html).
|_Requested resource was ../common_page/login.html
|_http-trane-info: Problem with XML parsing of /evox/about
5000/tcp open  upnp    MiniUPnP 1.9 (Compal Broadband Networks; UPnP 1.1)
Service Info: OS: Linux 2.6.39.3; Device: broadband router; CPE: cpe:/h:compal:ch7465lg-zg, cpe:/o:linux:linux_kernel:2.6.39.3

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 402.93 seconds

In this case the nmap scan shows useful and correct information of the router.
The nmap scan identifies that the device is a router “Compal CH7465LG-ZG cable modem” and “Device: broadband router”.