Nmap Development mailing list archives

Re: NMAP and MAC Addresses

From: Fyodor <fyodor () insecure org>
Date: Fri, 23 Jul 2004 12:51:35 -0700

On Fri, Jul 23, 2004 at 02:35:13PM -0500, Alan Jones wrote:

This is NMAP 3.55 on Windows 2000.

I know you can't get a MAC address when crossiing routers etc, but i
had been my understanding that you could get the MAC address for
others.


It is *almost* supported on Windows.  Nmap does obtain the MAC address
from winpcap (tested on my machine).  Then it calls
IPisDirectlyConnected() to determine whether the target seems to be on
the same Lan.  Nmap uses the routing table on UNIX machines to do
this, but I don't know how to do so on Windows.  Here is the function:

/* Check whether an IP address appears to be directly connected to an
   interface on the computer (e.g. on the same ethernet network rather
   than having to route).  Returns 1 if yes, -1 if maybe, 0 if not. Windows
   machines always return -1, because nobody has written a windows version.
   Any volunteers? */
int IPisDirectlyConnected(struct sockaddr_storage *ss, size_t ss_len) {
#if WIN32
return -1;
#else
  struct interface_info *interfaces;
  int numinterfaces;
  int i;
  struct sockaddr_in *sin = (struct sockaddr_in *) ss;

  if (sin->sin_family != AF_INET)
    fatal("IPisDirectlyConnected passed a non IPv4 address");

  interfaces =  getinterfaces(&numinterfaces);

  for(i=0; i < numinterfaces; i++) {
    if ((interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr) == 
         (sin->sin_addr.s_addr & interfaces[i].netmask.s_addr))
      return 1;
  }
  return 0;
#endif /* !WIN32 */
}

As you can see, it just returns -1 for Windows.  If someone writes a
working Windows implementation in that space instead, I would be happy
to incorporate it.  Any volunteers?

Barring that (preferable) solution, you can find these lines in tcpip.cc:

  if (IPisDirectlyConnected(&ss, sslen) == 1) {
    /* Yay!  This MAC address seems valid */
    target->setMACAddress(linkhdr->header + 6);
    return 0;
  }

Remove the "== 1" from that first line, recompile, and the MAC
addresses (including vendor lookup) should work on Windows.  But they
will ALWAYS be shown -- you will get the first-hop router MAC when
scanning routed hosts.

Cheers,
Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

NMAP and MAC Addresses Alan Jones (Jul 23)
- Re: NMAP and MAC Addresses Fyodor (Jul 23)
  - Re: NMAP and MAC Addresses Alan S. Jones (Jul 24)
- <Possible follow-ups>
- Re: NMAP and MAC Addresses Sean (Jul 24)