network: slow Nmap scanning in some IP ranges

I am a security rookie trying to scan a private network in the range – using nmap on Kali Linux.

The routing table:

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    100    0        0 eth0   UG    1      0        0 tun0   UG    0      0        0 tun0   UG    1      0        0 tun0   U     100    0        0 eth0   UG    0      0        0 tun0   U     0      0        0 tun0

I tried to scan the entire range of the private network at once, but this caused nmap to close after a period of time.

Then I tried to scan blocks of 256 IP addresses at once, starting with

nmap -sS

Scans in the range – are completed quickly, but the scans in the range – are exponentially slower and generally do not complete.

Is there anything in the network routing that is affecting this? Is there something I am missing completely?

mysql – nmap and service detection

I am currently listing a VM whose results show me two open ports 22 and 3306 with SSH and mysql being the services running on them. However, when I investigate 3306 further with Metasploit or nmap using the various mysql scripts, I receive errors. Is this because the service in 3306 is not really mysql?

Thanks for any help,


ssl: why does the same nmap command behave differently on the server than on the local machine?

I am running this nmap command on the local machine (Windows 10 with nmap

nmap --script ssl-enum-ciphers -p 443

and show SSL certificates like this

enter the description of the image here

But when I look at the server machine (Ubuntu 14.04.5 LTS), why can't I find compatible encryption?

enter the description of the image here

Hardening against Nmap and other network scanners.

Snort can do what you ask. It can detect various types of network scanning behavior and apply rules to respond with any type of packets or data that you configure. In addition, a snort device in your network can protect all the systems in your range, not just one server at a time.

It's not exactly what you asked for, since it's not a modification of a web server, but that should not matter if it does what you need.

nmap: I did an IP scan in a network and I see that the IP can be scanned, but I can not ping the device

I made a change in a serial converter to Ethernet and the device can no longer ping or can not be accessed through the webUI, but when I do an IP scan, NMAP takes it as:

Nmap scan report for
The host is active (latency 0.00069s).
All 1000 ports scanned at are filtered
MAC Address: 00: 90: E8: 73: 1F: 16 ​​(Moxa Technologies)

It says that the host is active, but I can not connect anything? Was this just stored in the cache? Or am I missing something else here?

Ports: nmap provides different results in two shells on the same computer

I am running kali and metasploitable2 in Virtualbox, and I have them connected through network mode only to the host. I can ping and ssh from kali to metasploitable and I have assigned the following IP addresses: (kali) and (metasploitable). For some reason, I could not see most of the open ports when running a simple scan:

kali $ nmap -sV
Starting Nmap 7.70 ( on ​​2019-06-16 09:04 CEST
Nmap scan report for
The host is up (0.011s of latency).
Not shown: 997 filtered ports
80 / tcp open http?
443 / tcp open https?
8080 / tcp open http-proxy?

But if I open another shell and execute the same command I get a very different result:

kali $ nmap -sV
Starting Nmap 7.70 ( at 2019-06-16 09:05 CEST
Nmap scan report for
The host is active (latency 0.00029s).
Not shown: 977 closed ports
21 / tcp open ftp vsftpd 2.3.4
22 / tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23 / tcp opens telnet Linux telnet
25 / tcp open smtp Postfix smtpd
53 / tcp open domain ISC BIND 9.4.2
80 / tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV / 2)
111 / tcp rpcbind open 2 (RPC # 100000)
139 / tcp open netbios-ssn Samba smbd 3.X - 4.X (working group: WORKGROUP)
445 / tcp open netbios-ssn Samba smbd 3.X - 4.X (working group: WORKING GROUP)
512 / tcp open exec netkit-rsh rexecd
--- clipping ----

This is potentially a question for beginners, but what could give these differences between the shells? The env variables were identical in both.

arp – NMAP does not show all live hosts

I have a live host at on my local network. I know it is active since I configured it with a static IP and also if I ping, I receive a response.

The weird thing is when I run. nmap -sP I can see that the host is active, but when it is run nmap -sP Go straight, go and show that it's down. I have tried this exactly using arp Y scapy and it seems that I constantly have the same problem where I can not, for some reason, specify a range of IPv4 to make an arp request.

What I do in scapy is:

# / usr / bin / env python
import scapy.all as scapy
scappy.arping ("")

penetration test – Nmap Windows 10 OS Detection

Recently, I've been practicing penetration tests and I've stopped trying to use nmap to detect the operating system for a Windows 10 machine.
For the most part, it is not able to identify the machine as Windows 10, but close to guessing is Windows. I've also tried p0f and xprobe2 with no luck.

What else can I use to successfully detect a Windows 10 machine on the network?

* From a blackbox perspective.

Thank you.

nmap – Difference between fingerprint scanning and scanning

Goodnight everyone.

I'm trying to earn a CEH certificate. I have a question about a simple questionnaire that I did and a book that I am reading.
The book indicates that we can search for an objective using network tools (for example, tarcert, nslookup, and so on).
Therefore, in the CEH book it is stated that scanning occurs in the fingerprint process. But I did a test in Gocertify that states that the scan is a case of prior attack and not reaffirmation. The question is what is correct?

I tried to goggling but still confused. Thank you all, even if you do not know that answer.

tls – Modified NMAP script: variable & # 39; host & # 39; it is not declared

I am modifying a script nse, ssl-cert.nse, which was already done to list the ssl certificates. I want to send the host IP and the port number on a line of the output of the ssl certificate. However, every time I try to make a call to host.ip or port.number, it seems that the host and the port are undeclared variables. How can I generate the ip of the current host and the port number of the ssl service detected? Preferably, you could concatenate the host and the port number within the data output of the certificate. Below is the code area that I modified / added in the ssl-cert.nse script file.

                                local out1 = host.ip
local out2 = port number

output = function (host, port)
out1 = host.targetName
return host.ip

output2 = function (host, port)
out2 = port number
back port.number


If nmap.verbosity ()> 0 then
lines[#lines + 1] = "Issuer:" .. stringify_name (cert.issuer)

If nmap.verbosity ()> 0 then

lines[#lines + 1] = "Type of public key:" .. cert.pubkey.type .. "" .. out1 .. ":" .. out2
lines[#lines + 1] = "Public key bits:" .. cert.pubkey.bits
lines[#lines + 1] = "Signature Algorithm:" .. cert.sig_algorithm

lines[#lines + 1] = "Not valid before:" ..
date_to_string (cert.validity.notBefore)
lines[#lines + 1] = "Not valid after:" ..
date_to_string (cert.validity.notAfter)