# nmap strange behaviour when using as root

## orzetto

Hi,

I was trying to get confident with nmap but I stumbled on something strange. When I try to scan my office machine, I get:

```
$ nmap [here was my hostname]

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-20 20:11 CEST

Interesting ports on [here was my hostname] ([and here my IP address]):

(The 1657 ports scanned but not shown below are in state: filtered)

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

Nmap run completed -- 1 IP address (1 host up) scanned in 117.645 seconds

```

But if I run as root, I get:

```
# nmap [here was my hostname]

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-20 20:16 CEST

Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

Nmap run completed -- 1 IP address (0 hosts up) scanned in 0.364 seconds
```

It seems that root cannot do what users can... What am I doing wrong?

Cheers,

-Federico

----------

## amne

It might have to do with the different default modes for testing if a machine is up (see also the option -sP in man nmap):

user: Sending a SYN probe to port 80

root: Sending a ICMP request and ACK.

Assuming your box at work is behind a firewall, the latter attempt might get blocked/dropped by it. You might try scanning your box as root using

```
nmap -PS80 your_hostname
```

 which should do the same probe as it does as user (at least i think so). In doubt, try playing around with the options in the manpage.  :Wink: 

----------

## orzetto

Thanks! That did it.

----------

## Chol

Same problem here, but amne's parameter doesn't solve it  :Sad: 

```
bash-2.05b$ nmap 192.168.1.2

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-07-29 15:44 CEST

Interesting ports on P3-900 (192.168.1.2):

(The 1655 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

22/tcp   open  ssh

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

631/tcp  open  ipp

4000/tcp open  remoteanything

Nmap run completed -- 1 IP address (1 host up) scanned in 0.491 seconds

bash-2.05b$ su

Password: 

bash-2.05b# nmap -PS80 192.168.1.2

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-07-29 15:45 CEST

Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

Nmap run completed -- 1 IP address (0 hosts up) scanned in 12.050 seconds

bash-2.05b#
```

----------

## Jeremy_Z

Try

-PE or -PA and PS on different port.

Again, watch the packets with a sniffer, just to be sure of what's going on exactly.

----------

