Re: nmap target selection questions

[Abuse007 <abuse007 () gmail com>]

Some of the addresses are multicast (e.g. 224.0.0.22) or broadcast (e.g. 255.255.255.255).  For outbound traffic nmap 
may be confused about which interface to use as the egress since it is ambiguous, by using the -e the ambiguity is 
removed. The MAC addresses are based off the IP address so ARP is not used.

For receiving multicast (considering 224.0.0.22) depending on the drivers, the interfaces may have to "subscribe" to 
the mcast otherwise they won't receive traffic destined to those addresses. I don't mean IGMP joins, as these are link 
local mcast addresses.

On 28/05/2011, at 2:45 PM, David Fifield <david () bamsoftware com> wrote:

> On Tue, May 24, 2011 at 02:53:21PM -0700, Dexter Liu wrote:
> > Hi nmap-dev:
> >
> > I'm not sure this if this is the best place to post this (so if there's a 
> > better place please point the way!). I'm trying to use nmap to scan a 
> > whole bunch of IPs I got from an arp call on Windows. So I'm running 
> > something like this:
> >
> > C:\testing\nmap-5.21-win32\nmap-5.21\nmap.exe -sV -sS -sU -p 
> > T:22,T:23,T:80,T:135,T:139,T:445,T:235,T:61616,U:52311 -O --osscan-guess 
> > -T 4 -oX nmapoutput 192.168.104.1, 192.168.104.10, 192.168.104.31, 
> > 192.168.104.51, 192.168.104.71, 192.168.104.86, 192.168.104.176, 
> > 192.168.104.197, 192.168.104.234, 192.168.104.235, 192.168.105.18, 
> > 192.168.105.27, 192.168.106.4, 192.168.107.140, 192.168.107.255, 
> > 224.0.0.22, 224.0.0.252, 239.255.255.250, 255.255.255.255, 9.0.8.1, 
> > 9.0.9.1, 9.6.96.153, 9.6.96.179, 9.7.2.18, 9.7.2.62, 9.8.33.67, 9.8.33.80, 
> > 9.9.72.23, 9.12.178.42, 9.13.44.147, 9.13.44.148, 9.17.136.83, 
> > 9.17.205.111, 9.17.205.112, 9.17.205.114, 9.17.205.115, 9.17.205.116, 
> > 9.18.21.20, 9.18.24.55, 9.18.81.58, 9.18.96.68, 9.18.96.69, 9.23.139.100, 
> > 9.23.139.101, 9.25.130.38, 9.44.50.80, 9.44.50.100, 9.44.50.102, 
> > 9.44.50.104, 9.44.51.57, 9.45.114.169, 9.45.124.64, 9.51.48.10, 
> > 9.51.48.18, 9.51.48.132, 9.56.8.13, 9.56.248.124, 9.56.252.115, 
> > 9.56.252.116, 9.56.252.117, 9.56.252.118, 9.63.36.19, 9.63.40.12, 
> > 9.65.61.255, 9.177.11.162, 9.177.11.173, 224.0.0.22, 224.0.0.252, 
> > 239.255.255.250
> >
> > nmap fails when at 244.0.0.22 with this error message: nexthost: Failed to 
> > determine dst MAC address for target 224.0.0.22 QUITTING!
> >
> > I have a couple of questions:
> >
> > -First is there a switch or option that lets me continue scanning the rest 
> > of the IPs even though nmap fails on a particular IP? If 244.0.0.22 was 
> > the first target I specified, I would have errored out at the beginning 
> > and gotten zero results
>
> No. Ideally we would detect this as early in the scan as possible, so
> you could at least remove those addresses right away and now have to
> wait for a half-finished scan.
>
> > -Second if I specify specific network interfaces with -e (specifically 
> > lo0), 244.0.0.22 scans as well, but other IPs fail. Is there a way I can 
> > specify a pool of network interfaces nmap should use when doing scanning, 
> > so that if one interface fails it can try again on another?
>
> No, sorry again. Currently the best you can do is split targets into
> groups and run them in separate scans, with a different interface for
> each. I don't think that a pool of interfaces is really what you want
> here, though. If Nmap can't find the proper interface it would still
> have trouble.
>
> > -Also I thought nmap was supposed to automatically figure out interfaces 
> > to run the scan on. It seems to work the large majority of the time. Why 
> > did I have to -e for some of them to get results? What are different about 
> > those IPs?
>
> This likely depends on your specific routing table. Please send me the
> output of
>       nmap --iflist
> Also, please try the latest version (5.51SVN) from
> http://nmap.org/download.html#windows and see if the problem has already
> been solved.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/