Re: OSX & FreeBSD ARP scan problem

[David Fifield <david () bamsoftware com>]

On Mon, Dec 12, 2011 at 02:48:04PM -0500, Jon Schipp wrote:
> I apologize if this mail message is not appropriate for this list.
>
> Are there known issues when doing ARP based host discovery from FreeBSD
> and/or OSX systems?
>
> When I'm scanning my local network(targets on same segment), on Linux, nmap
> defaults to the ARP scan like normal for determining whether a host is
> alive.
> However, when I use FreeBSD or OSX 10.6 (only hosts I've tried) on the same
> network, it skips the ARP scan and jumps into the normal Ping scan.
>
> When I specify -PR for host discovery Nmap immediately reports that all
> hosts are down without sending out any traffic.
>
> I've verified all output with --reason, --packet-trace, and with tcpdump.
>
> FYI: Both systems have multiple NIC's, I've tried setting the NIC with -e
> <interface> and it still does the same thing.
>
> I'm using 5.51 on FreeBSD and on OSX.
>
> I was just curious to whether this was some BSD-"like" implementation issue
> or maybe I'm just doin' it wrong.

No, there isn't anything special about BSD in this regard. Try
        nmap --iflist
to see what Nmap's idea of your routing table is.

You can also try this:
        nmap --route-dst x.x.x.x
to see if Nmap thinks x.x.x.x is on the same subnet or not. For example,
        nmap --route-dst 192.168.0.1
        192.168.0.1
        br0 br0 srcaddr 192.168.0.21 direct

        nmap --route-dst scanme.nmap.org
        74.207.244.221
        br0 br0 srcaddr 192.168.0.21 nexthop 192.168.0.1

The "direct" in the first one shows that Nmap can use ARP scan for it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/