I'm trying to find a free IP address on a network that doesn't use DHCP. I decided to run an intense scan using Nmap from 10.0.5.0 to 10.0.5.255. (I know this isn't the best way to find an unused IP address, but it's good enough for this scenario. I am open to suggestions though.) I'm on a different subnet, and I'm not 100% sure what my scan is going through (firewalls, NAT, etc).
Every single IP address is showing me port 113/tcp is closed, including unused IPs/dead hosts. This is making my results ugly and a pain to pick through.
- Is there a way to skip scanning this port in Nmap?
- Why is this shown even on dead hosts?
Best Answer
Yes. See here (reposted here for convenience):
$ nmap 24.0.0.0/24 -p 1-79,81-65535
Somewhere in your routing chain you may have a router/forced proxy/stateful firewall that does some kind of packet inspection and returns an actual response to your host trying to tell you that the port is blocked. It may not even check the IP before sending this response.
In short, you can't assume that any response you receive from the network actually originated from the endpoint you asked to reach, unless you use strong encryption. Any "man in the middle" can send back a fake request, whether it's to tell you "you aren't allowed to do that!" or just some misconfiguration. The actual case of why this is happening would be extremely specific to your hardware/software configuration, as well as your ISP, etc. -- basically everything related to your network setup.