Nmap Development mailing list archives
Re: Nmap IPv6 does not obey -e flag
From: David Fifield <david () bamsoftware com>
Date: Tue, 31 May 2011 10:42:52 -0700
On Tue, May 31, 2011 at 12:39:37PM -0500, Daniel Miller wrote:
Hey list, I could be wrong in my assumption in the subject line, but I think this is what is going on. Essentially, I want to scan a bunch of link-local IPv6 addresses, generated from MAC addresses on my LAN. I tried this first: $ sudo nmap -6 -v -oA lan-ipv6-%y%m%d -iL ipv6.hosts Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-05-31 12:29 CDT Initiating Ping Scan at 12:29 Scanning 16 hosts [2 ports/host] Strange error from connect (22):Invalid argument Completed Ping Scan at 12:29, 0.00s elapsed (16 total hosts) Initiating System DNS resolution of 16 hosts. at 12:29 Completed System DNS resolution of 16 hosts. at 12:29, 0.00s elapsed [... lots of hosts down ...] Read data files from: /usr/local/bin/../share/nmap Nmap done: 16 IP addresses (0 hosts up) scanned in 0.15 seconds The "strange error from connect" is EINVAL, which I get trying to ping my own link-local address: $ ping6 fe80::211:2fff:fed3:d902 connect: Invalid argument $ ping6 -I eth0 fe80::211:2fff:fed3:d902 PING fe80::211:2fff:fed3:d902(fe80::211:2fff:fed3:d902) from fe80::211:2fff:fed3:d902 eth0: 56 data bytes 64 bytes from fe80::211:2fff:fed3:d902: icmp_seq=1 ttl=64 time=0.053 ms ^C --- fe80::211:2fff:fed3:d902 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.053/0.053/0.053/0.000 ms The reason is that sockets with link-local addresses need to be told what interface to use. Not sure why, though, since the kernel routing table knows which to use: $ route -n -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If fe80::/64 :: U 256 0 0 eth0 ::/0 :: !n -1 1 79 lo ::1/128 :: Un 0 1 271 lo fe80::211:2fff:fed3:d902/128 :: Un 0 1 26 lo ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 79 lo When ping6 is given the -I flag, strace shows this call: setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "eth0\0", 5) = 0 A check through the Nmap source tree shows that Nping sets this sockopt, but nowhere else. At this point, I'm not ready to take the deep dive into the source that would be necessary to figure out where (and if) this should be added to Nmap, but I would really like to be able to scan link-local IPv6 addresses. Perhaps one of the GSoC students would be willing to look into it.
I think it works if you append "%eth0" to your addresses. This makes ping6 happy too. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap IPv6 does not obey -e flag Daniel Miller (May 31)
- Re: Nmap IPv6 does not obey -e flag David Fifield (May 31)
- Re: Nmap IPv6 does not obey -e flag Daniel Miller (May 31)
- Re: Nmap IPv6 does not obey -e flag Luis Martín García (May 31)
- Re: Nmap IPv6 does not obey -e flag David Fifield (May 31)