Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap IPv6 does not obey -e flag

From: David Fifield <david () bamsoftware com>
Date: Tue, 31 May 2011 10:42:52 -0700
On Tue, May 31, 2011 at 12:39:37PM -0500, Daniel Miller wrote:

Hey list,

I could be wrong in my assumption in the subject line, but I think
this is what is going on. Essentially, I want to scan a bunch of
link-local IPv6 addresses, generated from MAC addresses on my LAN. I
tried this first:

$ sudo nmap -6 -v -oA lan-ipv6-%y%m%d -iL ipv6.hosts
Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-05-31 12:29 CDT
Initiating Ping Scan at 12:29
Scanning 16 hosts [2 ports/host]
Strange error from connect (22):Invalid argument
Completed Ping Scan at 12:29, 0.00s elapsed (16 total hosts)
Initiating System DNS resolution of 16 hosts. at 12:29
Completed System DNS resolution of 16 hosts. at 12:29, 0.00s elapsed
[... lots of hosts down ...]
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 16 IP addresses (0 hosts up) scanned in 0.15 seconds

The "strange error from connect" is EINVAL, which I get trying to
ping my own link-local address:

$ ping6 fe80::211:2fff:fed3:d902
connect: Invalid argument
$ ping6 -I eth0 fe80::211:2fff:fed3:d902
PING fe80::211:2fff:fed3:d902(fe80::211:2fff:fed3:d902) from
fe80::211:2fff:fed3:d902 eth0: 56 data bytes
64 bytes from fe80::211:2fff:fed3:d902: icmp_seq=1 ttl=64 time=0.053 ms
^C
--- fe80::211:2fff:fed3:d902 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.053/0.053/0.053/0.000 ms

The reason is that sockets with link-local addresses need to be told
what interface to use. Not sure why, though, since the kernel
routing table knows which to use:

$ route -n -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met
Ref Use If
fe80::/64                      ::                         U    256 0
0 eth0
::/0                           ::                         !n   -1  1
79 lo
::1/128                        ::                         Un   0   1
271 lo
fe80::211:2fff:fed3:d902/128   ::                         Un   0   1
26 lo
ff00::/8                       ::                         U    256 0
0 eth0
::/0                           ::                         !n   -1  1
79 lo

When ping6 is given the -I flag, strace shows this call:

setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "eth0\0", 5) = 0

A check through the Nmap source tree shows that Nping sets this
sockopt, but nowhere else. At this point, I'm not ready to take the
deep dive into the source that would be necessary to figure out
where (and if) this should be added to Nmap, but I would really like
to be able to scan link-local IPv6 addresses. Perhaps one of the
GSoC students would be willing to look into it.


I think it works if you append "%eth0" to your addresses. This makes
ping6 happy too.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: