Shazzam Probe result question

david74
Kilo Contributor

Ran a data center scan over the weekend and doing some analysis now on the scan results and finding a certain IP showed no SNMP attempt despite it being defined in the scan. However its neighboring IP did have the SNMP port probe:

<result active="true" alive="true" ip_address="MY_FIRST_IP">

<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="refused" service="http"/>

<scanner name="HTTP" port="5986" portprobe="winrm" protocol="tcp" result="refused" service="winrm_ssl"/>

<scanner name="HTTP" port="5985" portprobe="winrm" protocol="tcp" result="refused" service="winrm"/>

<scanner name="SNMP" port="161" portprobe="snmp" protocol="udp" result="open" service="snmp">

<snmp_version>3</snmp_version></scanner>

<scanner name="GenericTCP" port="135" portprobe="wmi" protocol="tcp" result="refused" service="epmap"/>

<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">

<banner_text>SSH-2.0-OpenSSH_7.3&#13;

</banner_text>

<banner_bytes>.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f.37.2e.33.0d.0a.</banner_bytes></scanner>

<scanner name="BannerTCP" port="5480" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp_https"/>

<scanner name="BannerTCP" port="9443" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp6_https"/>

<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">

<host_names>MY_HOSTNAME</host_names>

</scanner>

<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>

</result>

<result active="false" alive="true" ip_address="MY_SECOND_IP">

<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="refused" service="http"/>

<scanner name="HTTP" port="5986" portprobe="winrm" protocol="tcp" result="refused" service="winrm_ssl"/>

<scanner name="HTTP" port="5985" portprobe="winrm" protocol="tcp" result="refused" service="winrm"/>

<scanner name="GenericTCP" port="135" portprobe="wmi" protocol="tcp" result="refused" service="epmap"/><

scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="refused" service="ssh"/>

<scanner name="BannerTCP" port="5480" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp_https"/>

<scanner name="BannerTCP" port="9443" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp6_https"/>

</result>

The IP's are contiguous with MY_FIRST_IP being .77 in the 4th octet and MY_SECOND_IP being .76

Why does the SNMP port probe run on the first .77 IP but not the second ?

1 REPLY 1

tim_broberg
ServiceNow Employee
ServiceNow Employee

By default, dead and inactive IPs do not get reported.



Things to try:


  • rerunning with probe parameters shazzam_report_dead or shazzam_report_inactive
  • set mid.log.level = debug
  • discover a single IP
  • run nmap on both IPs and see if the difference in behavior sheds any light on why Shazzam might be missing it.