Nmap Development mailing list archives
Re: Nmap bug - Doesn't folow static route
From: David Fifield <david () bamsoftware com>
Date: Thu, 11 Mar 2010 13:11:21 -0700
On Fri, Feb 26, 2010 at 12:09:09PM -0700, David Fifield wrote:
On Fri, Dec 18, 2009 at 12:59:06PM +0200, Ninel Piroi wrote:I use Nmap frequently at home and at work, before being useful in many situations and I want to thank you for this sweet product. Recently I discovered that when using static routes to subnet, Nmap does not follow the route, but looking directly into local broadcast (ARP) Ex: [Nmap Host] <-10.1.0.0/20-> [GW1] <-192.168.1.0/24-> [GW2] <-10.1.3.0/24-> [Target Host] [Nmap Host] IP : 10.1.0.15/20 GW1: 10.1.0.1 Static Route: 10.1.3.0/24 gw 10.1.0.1 [Target Host] IP: 10.1.3.9/24 GW2: 10.1.3.1nmap --packet-trace -sS 10.1.3.9Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time SENT (0.6720s) ARP who-has 10.1.3.9 tell 10.1.0.15 SENT (0.7820s) ARP who-has 10.1.3.9 tell 10.1.0.15 Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.91 secondsnmap --iflistStarting Nmap 5.00 ( http://nmap.org ) at 2009-12-18 08:41 GTB Standard Time ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC eth0 (eth0) 10.1.0.15/20 ethernet up 00:1A:DC:3E:34:AC lo0 (lo0) 127.0.0.1/8 loopback up DEV WINDEVICE eth0 \Device\NPF_{00744106-FFB1-473B-AED9-3CD94673D5AA} lo0 <none> <none> \Device\NPF_GenericDialupAdapter **************************ROUTES************************** DST/MASK DEV GATEWAY 10.1.0.15/32 lo0 127.0.0.1 10.255.255.255/32 eth0 10.1.0.15 255.255.255.255/32 eth0 10.1.0.15 10.1.3.0/0 eth0 10.1.0.1 10.1.0.0/0 eth0 10.1.0.15 127.0.0.0/0 lo0 127.0.0.1 224.0.0.0/0 eth0 10.1.0.15 0.0.0.0/0 eth0 10.1.0.1You're right. If a target address matches an interface's address and netmask, Nmap doesn't even look at the routing table. Your case has additional complications, like this: 10.1.3.0/0 eth0 10.1.0.1 10.1.0.0/0 eth0 10.1.0.15 Nmap sorts the routes by netmask before matching, so more specific matches will be tried first. But it uses qsort, which is probably not a stable sort, so entries with identical netmasks may have their order changed. I think both of these problems would have to be fixed for Nmap to work in your environment.
Those /0 netmasks were a separate bug, fixed in r16968.
If someone wants to work on this, the relevant functions are getsysroutes and route_dst in tcpip.cc.
I've implemented this as of r16970. If you are building from source, please give it a try. Here is the commit message: Before, route_dst worked like this: 1) Check destination address against all interfaces, with special-case handling for local addresses. 2) Check destination address against routing table. Now it works like this: 1) Check destination address against local addresses. 2) Check destination address against routing table. 3) Check destination address against all interfaces. This allows a routing table entry to override an interface, for example in this configuration: ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC eth0 (eth0) 192.168.0.21/24 ethernet up 00:00:00:00:00:00 **************************ROUTES************************** DST/MASK DEV GATEWAY 192.168.0.3/32 eth0 192.168.0.1 192.168.0.0/24 eth0 192.168.0.3 will not be considered directly connected, but will have its traffic routed through 192.168.0.1. The logic for determining when an address is directly connected has changed. Instead of considering an address directly connected whenever it matches an interface netmask, we consider it so when the gateway address is 0.0.0.0 or when the gateway address is exactly equal to the interface address. The proper way to do this would be to look at the "G" flag from the routing table, but libdnet doesn't retain that. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Nmap bug - Doesn't folow static route David Fifield (Feb 26)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route Jay Fink (Mar 12)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 12)
- Re: Nmap bug - Doesn't folow static route jrf (Mar 12)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)
- Re: Nmap bug - Doesn't folow static route David Fifield (Mar 11)