RE: MAC replies

["Alex R" <alex () deviousmeans net>]

It would only work for LAN port scans. When a frame hits a router the router
strips off the Ethernet frame and then adds its own Ethernet frame matching
the MAC address. So when you get a frame back its source MAC address is from
your router. Nmap only shows MAC addresses of computers on your network
segment.

-----Original Message-----
From: mark () lachniet com [mailto:mark () lachniet com] 
Sent: Tuesday, October 19, 2004 3:57 PM
To: Adam Jacob Muller
Cc: nmap-dev () insecure org
Subject: Re: MAC replies

In a strange (but probably RARE on a LAN) case, you could have a firewall
or other device proxy-arp'ing for its NAT service or some kind of proxy,
when in fact the host on the other side of the device is actually down. 
So that would be a false positive.  I could see this happening if you were
portscanning, say, a DMZ from an inside network, or vice versa.

This isn't a particularly important hole in your theory, though, since
what you are describing would work pretty well for a LAN portscan in most
cases.

Mark Lachniet


> Now that nmap has the ability to log MAC addresses does it use the fact
> that it got an arp reply to establish that the host is in fact up, my
> idea here basically is that an ARP reply is basically the only sure way
> to determine if a host is up or not, if you don't get one, then that
> host must be down, if you do in 99.99% of cases it is up (feel free to
> correct me), so does, or should nmap use a positive ARP reply to say
> that the host is up?
> On top of that, ARP replies are also much faster than scanning all
> ports on closed hosts (-P0).
>
>
>
> Adam
>
>
> Where is it written in the Constitution, in what article or section is
> it contained, that you may take children from their parents and parents
> from their children, and compel them to fight the battles of any war in
> which the folly and wickedness of the government may engage itself?
> Under what concealment has this power lain hidden, which now for the
> first time comes forth, with a tremendous and baleful aspect, to
> trample down and destroy the dearest right of personal liberty? Who
> will show me any Constitutional injunction which makes it the duty of
> the American people to surrender everything valuable in life, and even
> life, itself, whenever the purposes of an ambitious and mischievous
> government may require it? . . . A free government with an uncontrolled
> power of military conscription is the most ridiculous and abominable
> contradiction and nonsense that ever entered into the heads of men.
> -Daniel Webster
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help () insecure org . List archive: http://seclists.org


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org





---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org