Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: trouble with ping version 0.1BETA2

From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Dec 2009 16:13:02 -0700
On Tue, Nov 24, 2009 at 09:54:09PM +0300, geca wrote:

Hellow
i did install nping version 0.1BETA2 for MAC os.
I try make spoof IP address, but option --source-ip dont work:
My network setings:
ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
      inet6 fe80::21e:c2ff:fea6:6a85%en1 prefixlen 64 scopeid 0x4
      inet 10.71.0.100 netmask 0xfffff800 broadcast 10.71.7.255
      ether 00:1e:c2:a6:6a:85
      media: autoselect status: active
      supported media: autoselect

run nping with options:
nping --tcp-connect -p 111 --debug -c 1 --source-ip=10.1.1.1 --dest- 
ip=10.71.0.201

Nping will send packets in unprivileged mode using regular system calls

I watch tcpdump log on destination host (10.71.0.201) and i can't see  
spoofing IP addres.
I see reall ip address.
It's bug?

tcpdump -i eth0 -n  port 111 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol  
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:53:18.755522 00:1e:c2:a6:6a:85 > 00:20:ed:60:44:d6, ethertype IPv4  
(0x0800), length 78: IP 10.71.0.100.60955 > 10.71.0.201.sunrpc: S  
2429334520:2429334520(0) win 65535 <mss 1460,nop,wscale  
3,nop,nop,timestamp 406321374 0,sackOK,eol>
21:53:18.755585 00:20:ed:60:44:d6 > 00:1e:c2:a6:6a:85, ethertype IPv4  
(0x0800), length 74: IP 10.71.0.201.sunrpc > 10.71.0.100.60955: S  
2655139069:2655139069(0) ack 2429334521 win 5792 <mss  
1460,sackOK,timestamp 3934924864 406321374,nop,wscale 2>
21:53:18.756540 00:1e:c2:a6:6a:85 > 00:20:ed:60:44:d6, ethertype IPv4  
(0x0800), length 66: IP 10.71.0.100.60955 > 10.71.0.201.sunrpc: . ack 1 
win 65535 <nop,nop,timestamp 406321374 3934924864>
21:53:18.759123 00:1e:c2:a6:6a:85 > 00:20:ed:60:44:d6, ethertype IPv4  
(0x0800), length 66: IP 10.71.0.100.60955 > 10.71.0.201.sunrpc: F 1:1(0) 
ack 1 win 65535 <nop,nop,timestamp 406321374 3934924864>
21:53:18.759695 00:20:ed:60:44:d6 > 00:1e:c2:a6:6a:85, ethertype IPv4  
(0x0800), length 66: IP 10.71.0.201.sunrpc > 10.71.0.100.60955: F 1:1(0) 
ack 2 win 1448 <nop,nop,timestamp 3934924868 406321374>
21:53:18.760401 00:1e:c2:a6:6a:85 > 00:20:ed:60:44:d6, ethertype IPv4  
(0x0800), length 66: IP 10.71.0.100.60955 > 10.71.0.201.sunrpc: . ack 2 
win 65535 <nop,nop,timestamp 406321374 3934924868>


Thanks for your report Evgeniy. It is true that Nping was not setting
the source address for unprivileged TCP and UDP scans. I have just
committed a change to make it do this. However, the operating system
usually won't permit it unless you are using one of your own real
addresses. I get this message now:

# ./nping --tcp-connect --debug -c 1 192.168.0.190 -S 1.2.3.4
Nping will send packets in unprivileged mode using regular system calls

Starting Nping 0.1BETA3 ( http://nmap.org/nping ) at 2009-12-22 16:10 MST
...
NSOCK (0.0350s) Bind to 1.2.3.4 failed (IOD #1) EID 16

It's related to this message in Nmap:

WARNING:  -S will only affect the source address used in a connect()
scan if you specify one of your own addresses.  Use -sS or another raw
scan if you want to completely spoof your source address, but then you
need to know what you're doing to obtain meaningful results.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: