Re: nmap vs multiple IP address on one NIC

[David Fifield <david () bamsoftware com>]

On Wed, Oct 31, 2007 at 09:41:27AM +0300, preacherandrew () mail ru wrote:
> On Tue, Oct 23, 2007, Fyodor wrote:
> > On Fri, Oct 19, 2007 at 04:36:45PM +0400, preacherandrew () mail ru wrote:
> > > Hi, Fyodor.
> > >
> > > My config:
> > > Windows 2000; one NIC; in TCP/IP properties set multiple IP addresses
>
> > Hi Andrew.  Thanks for your report.  Maybe we need to move tne
> > entry->>intf_len assignment.  Would you please email your report to
> > nmap-dev () insecure org so that more people have a chance to look at it?
>
> > Thanks,
> > -F
> Hi Fyodor. I have send my report to nmap-dev () insecure org. But may be
> problem is wider. I try to fix the problem moving
> memset(entry, 0, sizeof(*entry));
> from "_ifrow_to_entry" function and code fragment "set aliases" is
> executed. But this fix don't help me in my case ("multiple IP addresses on one
> network card").
> Point is that nmap use only one from addresses
> returned by GetIpAddrTable. Becase that nmap's rerults may be inadequate.
>
> For example:
> host has two IP adresses on one network card -
> 192.168.160.12/24 and 192.168.2.3/24. Default router - 192.168.160.254.
> 1) I run "nmap --iflist".
> 2) GetIpAddrTable returns addresses is such order: 192.168.2.3,
> 192.168.160.12.
> 2) Nmap take into account only first address returned by GetIpAddrTable- 192.168.2.3.
> 3) Then nmap try verify default router using this address
> (192.168.2.3). This results "WARNING: Unable to find appropriate interface for system
> route to 192.168.160.254" (more precisely lot such warnings - for
> almost each entry in "route print"). In reality, default router is ok - it is
> reachable from host's other address (192.168.160.12), but nmap doesn't take
> into account other address.

Thanks for the detailed report. Can you try the attached patch?

I don't know too much about Windows networking. I set up a Windows XP
computer with two IP addresses on different subnets on the same NIC.
This is what nmap --iflist displays with the patch:

Starting Nmap 4.23RC2 ( http://insecure.org ) at 2007-11-19 23:16 Pacific Standard Time
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
eth0 (eth0)  192.168.1.202/24 ethernet up 00:D0:59:B7:66:0B
eth0 (eth0)  192.168.0.203/24 ethernet up 00:D0:59:B7:66:0B
lo0  (lo0)   127.0.0.1/8      loopback up

DEV  WINDEVICE
eth0 \Device\NPF_{FBA5E85C-7959-4351-8D7A-09F319B090A7}
lo0  \Device\NPF_GenericDialupAdapter

**************************ROUTES**************************
DST/MASK           DEV  GATEWAY
192.168.1.255/32   eth0 192.168.1.202
192.168.1.202/32   lo0  127.0.0.1
192.168.0.203/32   lo0  127.0.0.1
192.168.0.255/32   eth0 192.168.0.203
255.255.255.255/32 eth0 192.168.1.202
192.168.1.0/0      eth0 192.168.1.202
192.168.0.0/0      eth0 192.168.0.203
127.0.0.0/0        lo0  127.0.0.1
224.0.0.0/0        eth0 192.168.1.202
0.0.0.0/0          eth0 192.168.0.1

Is it weird to have both interfaces called "eth0" even though one is an
alias of the other? This matches what happens on Linux except that Linux
provides suffixed names like eth0:1. Anyway this patch makes port scans
on either subnet work for me.

Gianluca, can you try this patch too? There's a slight chance that it
will have an effect on the problem you've observed in
http://seclists.org/nmap-dev/2007/q4/0290.html.

David Fifield

Attachment: intf-win.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org