Why does NMAP scan list hosts as up?

Question

When running an NMAP scan of my internal network (192.168.1.0/24) from my Mac, NMAP sees all hosts as live. It also believes there is a port 80 http service running on every IP when I do not have 254 hosts configured on my network. Although oddly enough, telnetting to any IP on port 80 does respond with a connection, even if there is no host at that IP. Could there be something on my Airport (Bridged) or the FIOS router (DHCP Server) which is answering for ALL IPs regardless of whether they are live or dead?

Here is some output:

Ping scan (-sP) output: 
Xac124$ nmap -sP -v 192.168.1.0/24

Starting Nmap 6.25 ( http://nmap.org ) at 2014-11-03 14:37 EST
Initiating Ping Scan at 14:37
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 14:37, 1.33s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 14:37
Completed Parallel DNS resolution of 256 hosts. at 14:37, 0.24s elapsed
Nmap scan report for 192.168.1.0
Host is up (0.0071s latency).
Nmap scan report for 192.168.1.1
Host is up (0.0092s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0083s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0076s latency).
Nmap scan report for 192.168.1.4
Host is up (0.0070s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0062s latency).
(To IP .255)

On a -PT scan of the 192.168.1.0/24 network, it shows the following 3 ports (80, 3128, 8080) open for every IP on the network, including IPs where there are no hosts installed, for example:

Nmap scan report for 192.168.1.12
Host is up (0.00047s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3128/tcp open  squid-http
8080/tcp open  http-proxy

Nmap scan report for 192.168.1.13
Host is up (0.00090s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3128/tcp open  squid-http
8080/tcp open  http-proxy

Nmap scan report for 192.168.1.14
Host is up (0.00071s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3128/tcp open  squid-http
8080/tcp open  http-proxy

(All the way to IP .255)

Yet, if I telnet over port 80 to any IP which does NOT have a host on it, I DO get a connection. But get nothing in return when typing in some test html commands:

Xac124$ telnet 192.168.1.241 80
Trying 192.168.1.241...
Connected to 192.168.1.241.
Escape character is '^]'.
GET / HTTP/1.1
HOST: 192.168.1.241


Connection closed by foreign host.

Does anyone have a clue as to what could be causing this behavior? Perhaps a setting on my FIOS (Actiontec) router?

Answer 1

Thanks. Other than using nmap built into the mac, I also was using Kali on a VirtualBox image which was experiencing the same issue.

I started to believe the issue was being caused by the Fios Actiontec router, but during my testing, I was playing with the Virutalbox network settings for the image. By setting the Kali VM to use bridge mode instead of NAT, Kali started working fine. It still doesnt work using the Mac's nmap, but now that Kali is working, it doesnt matter.

Thanks for all the help!

Answer 2

-All clients are up probably due to a firewall causing interference, this could be from your computer to the router. I have also experienced issuing running nmap on mac and have yet to diagnose the problem properly. For the mean time you could booting from a Kali Live DVD or Backtrack, then if the problem persists change router firewall settings.

-In cases networks can prevent probing by not responding to certain requests, alternatively the router could send results saying a client is up when it's actually not. (built in security feature)