Re: nmap

[David Fifield <david () bamsoftware com>]

On Tue, Jun 23, 2009 at 09:12:42AM -0400, William Gruitza wrote:
> > On Mon, Jun 22, 2009 at 02:07:33PM -0400, William Gruitza wrote:
> > > I issued the command "nmap -sS -PN -e eth17 -S 192.168.1.1 10.10.10.1"
> > > and this is the output:
> > >
> > > "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-22 13:47 Eastern
> > > Daylight Time
> > > Nmap done: 1 IP address (0 hosts up) scanned in 0.70 seconds"
> > >
> > > I don't see any packets being generated from the scan in wireshark. I'm
> trying
> > > to change the source IP address to test whether or not the IDS is logging
> > > packets received on an interface with the source address of another
> interface.
> > > I don't know where I' missing something. Any feedback would be appreciated.
> >
> > Add the --send-ip option to disable ARP ping scan. Try adding the
> > --packet-trace option to see what packets are being sent.
> >
> > When you spoof the source address you won't see any Nmap results. That's
> > because response packets are sent to 192.168.1.1, not back to the host
> > running Nmap. See
> > http://nmap.org/book/man-bypass-firewalls-ids.html
> >
> > It may be that something else on the network is filtering out these
> > bogus packets before Wireshark or the IDS can see them.
> > Even though you won't see Nmap results, you can do a full port scan with
> > the following command. It will send enough packets to the IDS for
> > testing.
>
> I added the --send-ip option and nmap returns:
>  
> "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:05 Eastern
> Daylight Time
> WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows.
> This probably won't work.  Consider --send-eth next time."

I'm sorry, I forgot that --send-ip won't work on Windows. Try
--unprivileged. The idea is to disable ARP ping scan. The problem, I
think, is that while 10.10.10.1 is directly connected, it's not
connected to the interface you've chosen. Nmap should probably disable
ARP ping automatically in that case.

> Next, I removed the --send-ip option and added --send-eth and nmap returns:
>  
> "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:06 Eastern
> Daylight Time
> Nmap done: 1 IP address (0 hosts up) scanned in 3.38 seconds
> Failed to resolve given hostname/IP: eth17.  Note that you can't use '/mask'
> AND '1-4,7,100-' style IP ranges"
>  
> I don't think it's possible to change the source IP address in windows since
> raw ip is not supported. Maybe the solution is to run nmap from linux or just
> use a tool such as hping.

Yes, it's possible to change the source address, but this is a special
case. See if the --unprivileged option works. The error you got above
means that you made a syntax error in the command line. Make sure that
eth17 directly follows -e.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org