Problem routing nmap scans

[graou () free fr]

Hi all

I'm having troubles with nmap v6.01 and Windows 7 x64.
Let's say i want to do a tcp syn scan to a host on a subnetwork
(192.168.35.53:80).
This host answers to ping :

---------------------
> ping 192.168.35.53

Envoi d'une requête 'Ping'  192.168.35.53 avec 32 octets de données :
Réponse de 192.168.35.53 : octets=32 temps=2 ms TTL=61
---------------------

This host is reachable via any browser.
This host is also reachable via nmap tcp connect scan, when i disable host
discovery :

---------------------
> nmap -sT 192.168.35.53  -p 80 -Pn

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 10:35 Paris, Madrid (heure
dÆÚtÚ)
Nmap scan report for 192.168.35.53
Host is up (0.020s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
---------------------


But when i try tcp syn scan with or without host discovery, it won't work
anymore (wireshark won't see any packets going out) :

---------------------
> nmap -sS 192.168.35.53  -p 80

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 10:38 Paris, Madrid (heure
dÆÚtÚ)
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.27 seconds


> nmap -sS 192.168.35.53  -p 80 -Pn

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 10:39 Paris, Madrid (heure
dÆÚtÚ)
Nmap scan report for 192.168.35.53
Host is up.
PORT   STATE    SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
---------------------



Here are my network interfaces :

---------------------
> Nmap -iflist

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 11:14 Paris, Madrid (heure
dÆÚtÚ)
************************INTERFACES************************
DEV  (SHORT) IP/MASK                      TYPE        UP   MTU  MAC
eth0 (eth0)  fe80::14a3:473b:906d:f489/64 ethernet    down 1400
00:FF:E0:99:32:05
eth0 (eth0)  169.254.244.137/4            ethernet    down 1400
00:FF:E0:99:32:05
eth1 (eth1)  fe80::61c9:436e:95b4:4699/64 ethernet    up   1500
F0:DE:F1:3C:52:EB
eth1 (eth1)  172.22.32.9/27               ethernet    up   1500
F0:DE:F1:3C:52:EB
lo0  (lo0)   ::1/128                      loopback    up   -1
lo0  (lo0)   127.0.0.1/8                  loopback    up   -1
tun0 (tun0)  fe80::5efe:ac16:2009/128     point2point down 1280
tun1 (tun1)  (null)/0                     point2point down 1280

DEV  WINDEVICE
eth0 \Device\NPF_{47685897-037C-4039-877E-9A38087C913B}
eth0 \Device\NPF_{47685897-037C-4039-877E-9A38087C913B}
eth1 \Device\NPF_{2CE9107C-9829-4D85-8A6A-2135CF04A8FE}
eth1 \Device\NPF_{2CE9107C-9829-4D85-8A6A-2135CF04A8FE}
lo0  <none>
lo0  <none>
tun0 <none>
tun1 <none>

**************************ROUTES**************************
DST/MASK           DEV  GATEWAY
172.22.32.31/32    eth0
255.255.255.255/32 eth0
127.0.0.1/32       eth0
127.255.255.255/32 eth0
255.255.255.255/32 eth0
172.22.32.9/32     eth0
255.255.255.255/32 eth0
172.22.32.0/27     eth0
127.0.0.0/8        eth0
224.0.0.0/4        eth0
224.0.0.0/4        eth0
224.0.0.0/4        eth0
0.0.0.0/0          eth0 172.22.32.30
---------------------

So i tried specifying the output interface, which i beleive is eth1. (eth0 is my
Juniper Network Connect Virtual Adapter) :

---------------------
> nmap -e eth1 -sS 192.168.35.53  -p 80

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 10:40 Paris, Madrid (heure
dÆÚtÚ)
nexthost: failed to determine route to 192.168.35.53
QUITTING!
---------------------


Then i saw this line :
---------------------
> Nmap -iflist
...
0.0.0.0/0          eth0 172.22.32.30
---------------------


how comes nmap route 0.0.0.0/0 map to eth0 (which is down - see iflist) ? how do
i change this to eth1 ?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/