Sometimes when doing Host Discovery with Nmap you would get a response that all hosts that you scanned are up. This could be because a firewall is responding instead of a host to some of the SYN’s your Host Discovery is sending. In addition, the firewall could be configured to reply on all most common ports, making the Host Discovery process difficult.
When it is believed a firewall is responding to or blocking ping probes it is rather common practice to use the -Pn option and assume that the hosts are up and perform port scanning directly. This way it is possible to filter out ports that resembles a firewall response compared to ports that resembles a host response. However, this is often highly ineffective, especially if you want to scan many ports on a big network such as a 10/8 network. Luckily there are other options such as filtering out firewall responses based on the TTL value.
TTL could be used to determine how far away the network component is from the source and could sometimes provide the means to find out whether it is a firewall or host that is responding to a packet. Simply scan with –packet-trace and look for the TTL value. A low TTL could be an indicator that a firewall is responding, whereas a high TTL could be an indicator that a host is responding. Don’t forget to run with sudo to ensure that nmap gets access to the raw data. Without sudo, nmap would perform a slower full handshake (TCP CONNECT) in the Host Discovery process and also have no access to read the TTL value.
It is rather quick to scan even a 10/8 network this way, because by only scanning one TCP port during the Host Discovery phase you could find out whether the firewall sent the request further or not and this is often fast.
The easiest is to first troubleshoot IPs in different subnets that you know are alive (where hosts responds) and evaluate the TTL value in the responding packets. Then you check IPs that you know are not alive in different subnets. When the same firewall is responding, the TTL would often be the same value since the packet took the same route. Whereas the response TTL would vary when a host is responding since the source was at another location.
sudo nmap 10.10.10.1 -sP -PS80 --packet-trace
ttl in response = 123 (firewall responded)sudo nmap 10.100.10.1 -sP -PS80 --packet-trace
ttl in response = 240 (host responded)To get this in a presentable format simply use
sudo nmap 10.10.10.1 10.100.10.1 -sP -PS80 -oX testxmlcat testxml | awk '/<host>/,/<\/host>/ NR%2{printf "%s ",$0;next;}1' | grep address | awk -F'"' '{print $8 "," $6}' Output:
10.10.10.1,123
10.100.10.1,240Now you could simply grep inverse for 123 and hence remove all lines with this TTL and then cut out the first field to only show alive hosts as output.
cat testxml | awk '/<host>/,/<\/host>/ NR%2{printf "%s ",$0;next;}1' | grep address | awk -F'"' '{print $8 "," $6}' | grep -v 123 | cut -d"," -f1Output:
10.10.100.1