Re: ARP scan on Mac OS, only the gateway MAC is shown

[David Fifield <david () bamsoftware com>]

On Wed, Aug 24, 2011 at 11:36:01AM +0100, Giuliano wrote:
> Hi Guys,
>
>   I'm on Mac OS (Lion 10.7.1), trying to get a list of live MAC
> addresses on the connected network segment... nmap is being run as
> root, across wireless.
> When I probe the default gateway, everything looks fine:
>
> # ./nmap-5.51/nmap -e en1 --send-eth -sP -PR 10.0.0.1
> Host is up (0.0017s latency).
> MAC Address: 00:64:DE:AD:BE:EF (Cisco Systems)
>
> When I try to do the same on another host:
>
> # ./nmap-5.51/nmap -e en1 --send-eth -sP -PR 10.0.0.234
> Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
>
> Turning on verbose/debug reveals that nmap isn't even attempting to do
> ARP, as if host .234 was on another ethernet segment. But --iflist
> shows:
>
> ************************INTERFACES************************
> DEV (SHORT) IP/MASK TYPE UP MTU MAC
> lo0 (lo0) 127.0.0.1/8 loopback up 16384
> en1 (en1) 10.0.0.36/24 ethernet up 1500 xx:xx:xx:xx:xx:xx
> **************************ROUTES**************************
> [..a bunch of routes..]
> 127.0.0.0/8 lo0 127.0.0.1
> 0.0.0.0/0 en1 10.0.0.1
>
> If I change the -PR in -PE, the host reports as UP but I'm still
> seeing no ARP going on... A single ICMP packet is sent to the default
> gateway, using the gateway's MAC. A response is received, with the
> target host's MAC as source.
> I tried different nmap versions, with/without the builtin libcap, as
> root or as a normal user, etc. Needless to say, on Linux I've got no
> issues whatsoever.
> How nmap could possibly get confused about what networks are connected?

Perhaps it's one of the routes in [..a bunch of routes..] above? It's
possible for a route to override the address/netmask of an interface.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/