Nmap Development mailing list archives

Re: Nmap bug - Doesn't folow static route

From: David Fifield <david () bamsoftware com>
Date: Fri, 26 Feb 2010 12:09:09 -0700

On Fri, Dec 18, 2009 at 12:59:06PM +0200, Ninel Piroi wrote:

I use Nmap frequently at home and at work, before being useful in many  
situations and I want to thank you for this sweet product.
Recently I discovered that when using static routes to subnet, Nmap does  
not follow the route, but looking directly into local broadcast (ARP)

Ex:
[Nmap Host] <-10.1.0.0/20-> [GW1] <-192.168.1.0/24-> [GW2]  
<-10.1.3.0/24-> [Target Host]

[Nmap Host]
IP  :    10.1.0.15/20
GW1: 10.1.0.1
Static Route:  10.1.3.0/24 gw 10.1.0.1

[Target Host]
IP:      10.1.3.9/24
GW2: 10.1.3.1

nmap --packet-trace -sS 10.1.3.9

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time
SENT (0.6720s) ARP who-has 10.1.3.9 tell 10.1.0.15
SENT (0.7820s) ARP who-has 10.1.3.9 tell 10.1.0.15
Note: Host seems down. If it is really up, but blocking our ping probes,  
try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.91 seconds

nmap --iflist

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time
************************INTERFACES************************
DEV  (SHORT) IP/MASK       TYPE     UP MAC
eth0 (eth0)  10.1.0.15/20 ethernet up 00:1A:DC:3E:34:AC
lo0  (lo0)   127.0.0.1/8   loopback up
DEV    WINDEVICE
eth0   \Device\NPF_{00744106-FFB1-473B-AED9-3CD94673D5AA}
lo0 <none>
<none> \Device\NPF_GenericDialupAdapter
**************************ROUTES**************************
DST/MASK           DEV  GATEWAY
10.1.0.15/32      lo0  127.0.0.1
10.255.255.255/32  eth0 10.1.0.15
255.255.255.255/32 eth0 10.1.0.15
10.1.3.0/0         eth0 10.1.0.1
10.1.0.0/0         eth0 10.1.0.15
127.0.0.0/0        lo0  127.0.0.1
224.0.0.0/0        eth0 10.1.0.15
0.0.0.0/0          eth0 10.1.0.1


You're right. If a target address matches an interface's address and
netmask, Nmap doesn't even look at the routing table.

Your case has additional complications, like this:

10.1.3.0/0         eth0 10.1.0.1
10.1.0.0/0         eth0 10.1.0.15

Nmap sorts the routes by netmask before matching, so more specific
matches will be tried first. But it uses qsort, which is probably not a
stable sort, so entries with identical netmasks may have their order
changed. I think both of these problems would have to be fixed for Nmap
to work in your environment.

If someone wants to work on this, the relevant functions are
getsysroutes and route_dst in tcpip.cc.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Nmap bug - Doesn't folow static route David Fifield (Feb 26)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
  - Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
    - Re: Nmap bug - Doesn't folow static route Jay Fink (Mar 12)
    - Re: Nmap bug - Doesn't folow static route David Fifield (Mar 12)
    - Re: Nmap bug - Doesn't folow static route jrf (Mar 12)