Nmap Development mailing list archives
Re: nmap
From: David Fifield <david () bamsoftware com>
Date: Tue, 30 Jun 2009 13:38:09 -0600
On Tue, Jun 23, 2009 at 09:12:42AM -0400, William Gruitza wrote:
On Mon, Jun 22, 2009 at 02:07:33PM -0400, William Gruitza wrote:I issued the command "nmap -sS -PN -e eth17 -S 192.168.1.1 10.10.10.1" and this is the output: "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-22 13:47 Eastern Daylight Time Nmap done: 1 IP address (0 hosts up) scanned in 0.70 seconds" I don't see any packets being generated from the scan in wireshark. I'mtryingto change the source IP address to test whether or not the IDS is logging packets received on an interface with the source address of anotherinterface.I don't know where I' missing something. Any feedback would be appreciated.Add the --send-ip option to disable ARP ping scan. Try adding the --packet-trace option to see what packets are being sent. When you spoof the source address you won't see any Nmap results. That's because response packets are sent to 192.168.1.1, not back to the host running Nmap. See http://nmap.org/book/man-bypass-firewalls-ids.html It may be that something else on the network is filtering out these bogus packets before Wireshark or the IDS can see them. Even though you won't see Nmap results, you can do a full port scan with the following command. It will send enough packets to the IDS for testing.I added the --send-ip option and nmap returns: "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:05 Eastern Daylight Time WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows. This probably won't work. Consider --send-eth next time."
I'm sorry, I forgot that --send-ip won't work on Windows. Try --unprivileged. The idea is to disable ARP ping scan. The problem, I think, is that while 10.10.10.1 is directly connected, it's not connected to the interface you've chosen. Nmap should probably disable ARP ping automatically in that case.
Next, I removed the --send-ip option and added --send-eth and nmap returns: "Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:06 Eastern Daylight Time Nmap done: 1 IP address (0 hosts up) scanned in 3.38 seconds Failed to resolve given hostname/IP: eth17. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges" I don't think it's possible to change the source IP address in windows since raw ip is not supported. Maybe the solution is to run nmap from linux or just use a tool such as hping.
Yes, it's possible to change the source address, but this is a special case. See if the --unprivileged option works. The error you got above means that you made a syntax error in the command line. Make sure that eth17 directly follows -e. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: nmap David Fifield (Jun 30)