comportamento diferente: “sudo nmap” vs apenas “nmap”?

Estou tentando fazer uma varredura de porta simples com o nmap:

$ nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Nmap scan report for 192.168.56.101
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
5555/tcp  open  freeciv
24800/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Mas quando tento o mesmo com sudo, falha ao afirmar que o host está inoperante:

$ sudo nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.48 seconds

NOTA:
Estou no OS X Yosemite.
Lançamento do GNU bash, versão 3.2.57 (1) (x86_64-apple-darwin14)

Obrigado.

Por padrão, uma verificação sem privilégios usa -sT (TCP Connect) enquanto privilegiada (raiz) usa -sS (TCP SYN Stealth).

A varredura do TCP Connect (-sT) Connect usa a chamada do sistema com o mesmo nome para varrer máquinas, em vez de depender de pacotes brutos, como a maioria dos outros métodos. Geralmente é usado por usuários Unix sem privilégios e contra alvos 1Pv6 porque a verificação SYN não funciona nesses casos.

Discrição TCP SYN (-sS) Esse é de longe o tipo de verificação mais popular, pois é a maneira mais rápida de verificar portas do protocolo mais popular (TCP). É mais furtivo que a verificação de conexão e funciona contra todas as pilhas TCP funcionais (ao contrário de algumas verificações para fins especiais, como a verificação FIN).

1) Para descobrir o que está acontecendo com sua máquina, sugiro usar o modo detalhado extra ( -vv ) ou --packet-trace para ver o que acontece.

$ sudo nmap --packet-trace -vv 192.168.56.101

2) Outra abordagem seria forçar uma varredura sem privilégios como usuário privilegiado usando os seguintes comandos e ver o resultado.

$ sudo nmap -sT -vv 192.168.56.101
$ sudo nmap --unprivileged -vv 192.168.56.101

3) Finalmente, a razão pela qual o nmap interrompe a verificação é porque o IMCP Tipo 8 (eco aka ping) não retorna um ICMP Tipo 0 (resposta de eco). Este comando ignora o ping e continua a varredura:

$ sudo nmap -PN 192.168.56.101

Você pode tentar esses comandos e postar a saída?

Percebi o mesmo comportamento no meu Mac. Isso é realmente estranho.

Parece que o NMAp com privilégios sudo obtém algumas informações do cache do ARP. E assim, se você verificar um dispositivo desconectado da rede, mas que ainda esteja no cache do ARP (o cache será atualizado após 2 ou 3 minutos no meu computador), ele aparecerá online como NMAP.

Na página do manual NMAP:

Se nenhuma opção de descoberta de host for fornecida, o Nmap enviará uma solicitação de eco ICMP, um pacote TCP SYN para a porta 443, um pacote TCP ACK para a porta 80 e uma solicitação de carimbo de data / hora ICMP . (Para IPv6, a solicitação de carimbo de data / hora do ICMP é omitida porque não faz parte do ICMPv6.) Esses padrões são equivalentes às opções -PE -PS443 -PA80 -PP. As exceções a isso são o ARP (para IPv4) e a descoberta de vizinhos. (para IPv6), que são usadas para quaisquer destinos em uma rede Ethernet local. Para usuários de shell Unix não privilegiados, os probes padrão são um pacote SYN para as portas 80 e 443 usando a chamada de sistema de conexão.. Essa descoberta de host geralmente é suficiente ao verificar redes locais, mas um conjunto mais abrangente de análises de descoberta é recomendado para auditoria de segurança.

Basicamente, por padrão:

• Um usuário privilegiado executa um -sS (varredura TCP SYN).
  Esse tipo de verificação requer privilégios de soquete / pacote bruto.
• Um usuário não privilegiado executa um -sT (varredura de conexão TCP).
  Esse tipo de verificação não requer privilégios de soquete / pacote bruto.

Adaptado dos documentos oficiais do Nmap:

PORT SCANNING TECHNIQUES

    Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an
    administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root
    privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far
    more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to
    run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more
    powerful and flexible.

--privileged (Assume that the user is fully privileged).

    Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix
    systems. By default, Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may 
    be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, 
    OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.


-sS (TCP SYN Scan).

    TCP SYN Scan is the default scan option for privileged users. It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any
    restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than
    depending on the idiosyncrasies of specific platforms (as Nmap's other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.

    This technique is often referred to as a Half-Open Scan, because it doesn't open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection 
    and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is 
    immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build 
    these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an 
    ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet (without the ACK flag) is received in response. 
    This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection. (https://nmap.org/misc/split-handshake.pdf)

--unprivileged (Assume that the user lacks raw socket privileges).

    This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or
    the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to —unprivileged.


-sT (TCP Connect Scan).

    TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system 
    is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong
    advantage to this technique is that it doesn't require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn't involve writing raw 
    packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use 
    to establish a connection.

    When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient. 
    Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it 
    requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however, 
    have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the 
    connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs 
    from a single system should know that she has been TCP Connect Scanned.