Nmap Development mailing list archives
Re: Nmap bug - Doesn't folow static route
From: David Fifield <david () bamsoftware com>
Date: Fri, 26 Feb 2010 12:09:09 -0700
On Fri, Dec 18, 2009 at 12:59:06PM +0200, Ninel Piroi wrote:
I use Nmap frequently at home and at work, before being useful in many situations and I want to thank you for this sweet product. Recently I discovered that when using static routes to subnet, Nmap does not follow the route, but looking directly into local broadcast (ARP) Ex: [Nmap Host] <-10.1.0.0/20-> [GW1] <-192.168.1.0/24-> [GW2] <-10.1.3.0/24-> [Target Host] [Nmap Host] IP : 10.1.0.15/20 GW1: 10.1.0.1 Static Route: 10.1.3.0/24 gw 10.1.0.1 [Target Host] IP: 10.1.3.9/24 GW2: 10.1.3.1nmap --packet-trace -sS 10.1.3.9Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time SENT (0.6720s) ARP who-has 10.1.3.9 tell 10.1.0.15 SENT (0.7820s) ARP who-has 10.1.3.9 tell 10.1.0.15 Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.91 secondsnmap --iflistStarting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC eth0 (eth0) 10.1.0.15/20 ethernet up 00:1A:DC:3E:34:AC lo0 (lo0) 127.0.0.1/8 loopback up DEV WINDEVICE eth0 \Device\NPF_{00744106-FFB1-473B-AED9-3CD94673D5AA} lo0 <none> <none> \Device\NPF_GenericDialupAdapter **************************ROUTES************************** DST/MASK DEV GATEWAY 10.1.0.15/32 lo0 127.0.0.1 10.255.255.255/32 eth0 10.1.0.15 255.255.255.255/32 eth0 10.1.0.15 10.1.3.0/0 eth0 10.1.0.1 10.1.0.0/0 eth0 10.1.0.15 127.0.0.0/0 lo0 127.0.0.1 224.0.0.0/0 eth0 10.1.0.15 0.0.0.0/0 eth0 10.1.0.1
You're right. If a target address matches an interface's address and netmask, Nmap doesn't even look at the routing table. Your case has additional complications, like this: 10.1.3.0/0 eth0 10.1.0.1 10.1.0.0/0 eth0 10.1.0.15 Nmap sorts the routes by netmask before matching, so more specific matches will be tried first. But it uses qsort, which is probably not a stable sort, so entries with identical netmasks may have their order changed. I think both of these problems would have to be fixed for Nmap to work in your environment. If someone wants to work on this, the relevant functions are getsysroutes and route_dst in tcpip.cc. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Nmap bug - Doesn't folow static route David Fifield (Feb 26)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route Jay Fink (Mar 12)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 12)
- Re: Nmap bug - Doesn't folow static route jrf (Mar 12)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)