Re: nmap target selection questions

[David Fifield <david () bamsoftware com>]

On Tue, May 24, 2011 at 02:53:21PM -0700, Dexter Liu wrote:
> Hi nmap-dev:
>
> I'm not sure this if this is the best place to post this (so if there's a 
> better place please point the way!). I'm trying to use nmap to scan a 
> whole bunch of IPs I got from an arp call on Windows. So I'm running 
> something like this:
>
> C:\testing\nmap-5.21-win32\nmap-5.21\nmap.exe -sV -sS -sU -p 
> T:22,T:23,T:80,T:135,T:139,T:445,T:235,T:61616,U:52311 -O --osscan-guess 
> -T 4 -oX nmapoutput 192.168.104.1, 192.168.104.10, 192.168.104.31, 
> 192.168.104.51, 192.168.104.71, 192.168.104.86, 192.168.104.176, 
> 192.168.104.197, 192.168.104.234, 192.168.104.235, 192.168.105.18, 
> 192.168.105.27, 192.168.106.4, 192.168.107.140, 192.168.107.255, 
> 224.0.0.22, 224.0.0.252, 239.255.255.250, 255.255.255.255, 9.0.8.1, 
> 9.0.9.1, 9.6.96.153, 9.6.96.179, 9.7.2.18, 9.7.2.62, 9.8.33.67, 9.8.33.80, 
> 9.9.72.23, 9.12.178.42, 9.13.44.147, 9.13.44.148, 9.17.136.83, 
> 9.17.205.111, 9.17.205.112, 9.17.205.114, 9.17.205.115, 9.17.205.116, 
> 9.18.21.20, 9.18.24.55, 9.18.81.58, 9.18.96.68, 9.18.96.69, 9.23.139.100, 
> 9.23.139.101, 9.25.130.38, 9.44.50.80, 9.44.50.100, 9.44.50.102, 
> 9.44.50.104, 9.44.51.57, 9.45.114.169, 9.45.124.64, 9.51.48.10, 
> 9.51.48.18, 9.51.48.132, 9.56.8.13, 9.56.248.124, 9.56.252.115, 
> 9.56.252.116, 9.56.252.117, 9.56.252.118, 9.63.36.19, 9.63.40.12, 
> 9.65.61.255, 9.177.11.162, 9.177.11.173, 224.0.0.22, 224.0.0.252, 
> 239.255.255.250
>
> nmap fails when at 244.0.0.22 with this error message: nexthost: Failed to 
> determine dst MAC address for target 224.0.0.22 QUITTING!
>
> I have a couple of questions:
>
> -First is there a switch or option that lets me continue scanning the rest 
> of the IPs even though nmap fails on a particular IP? If 244.0.0.22 was 
> the first target I specified, I would have errored out at the beginning 
> and gotten zero results

No. Ideally we would detect this as early in the scan as possible, so
you could at least remove those addresses right away and now have to
wait for a half-finished scan.

> -Second if I specify specific network interfaces with -e (specifically 
> lo0), 244.0.0.22 scans as well, but other IPs fail. Is there a way I can 
> specify a pool of network interfaces nmap should use when doing scanning, 
> so that if one interface fails it can try again on another?

No, sorry again. Currently the best you can do is split targets into
groups and run them in separate scans, with a different interface for
each. I don't think that a pool of interfaces is really what you want
here, though. If Nmap can't find the proper interface it would still
have trouble.

> -Also I thought nmap was supposed to automatically figure out interfaces 
> to run the scan on. It seems to work the large majority of the time. Why 
> did I have to -e for some of them to get results? What are different about 
> those IPs?

This likely depends on your specific routing table. Please send me the
output of
        nmap --iflist
Also, please try the latest version (5.51SVN) from
http://nmap.org/download.html#windows and see if the problem has already
been solved.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/