Nmap Development mailing list archives

Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table

From: David Fifield <david () bamsoftware com>
Date: Mon, 10 Sep 2012 13:08:30 -0700

On Thu, Aug 23, 2012 at 09:53:24PM -0400, starlight.2012q3 () binnacle cx wrote:

'nmap' does not make use of 'iproute2'
alternate routing tables selected by
source address.  So

# nmap -e eth4 -S 172.29.87.84 <target>

Uses the generic default-route of
172.29.79.2 via 'eth5' instead of the
source-route default of 172.29.86.1
via 'eth4'.  Confirmed this with
'tcpdump'.

Seems like 'nmap' ought to handle this
scenario correctly.  In our case 'eth4'
faces the Internet and 'eth5' routes
through a Cisco ASA, so it is preferable
to use the direct path for scanning.

Both 'ping' and 'traceroute' correctly
use the source address selected routing
table.  Checked it with 'tcpdump'.

Built 'nmap' from SVN 29648 pulled 8/22/12.

-----

$ ip rule show
0:      from all lookup local
32764:  from 172.29.86.4 lookup eth4
32765:  from 172.29.79.1 lookup eth5
32766:  from all lookup main
32767:  from all lookup default

$ ip route show table eth4
172.29.79.0/24 dev eth5  scope link
172.29.88.0/24 dev eth1  scope link
172.29.87.0/24 dev eth0  scope link
172.29.86.0/24 dev eth4  scope link  src 172.29.86.4
127.0.0.0/8 dev lo  scope link
default via 172.29.86.1 dev eth4

$ ip route show table main
172.29.79.0/24 dev eth5  scope link  src 172.29.79.1
172.29.91.0/24 via 172.29.83.6 dev tun0
172.29.88.0/24 dev eth1  scope link  src 172.29.88.1
172.29.87.0/24 dev eth0  scope link  src 172.29.87.1
172.29.86.0/24 dev eth4  scope link  src 172.29.86.4
172.29.85.0/24 dev tun1  scope link  src 172.29.85.1
172.29.83.0/24 dev tun0  scope link  src 172.29.83.1
172.29.82.0/24 dev tun2  scope link  src 172.29.82.1
172.29.81.0/24 dev tun3  scope link  src 172.29.81.1
default via 172.29.79.2 dev eth5


Can you point out which parts of this configuration should cause a
source address of 172.29.87.84 to route through eth4? The closest I can
guess is from "ip rule show",

32764:  from 172.29.86.4 lookup eth4


But that address 172.29.86.4 doesn't match the 172.29.86.84 used in your
Nmap command. Was that just a typo?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

'nmap -S <src_addr>' does not use 'iproute2' alternate routing table starlight . 2012q3 (Aug 23)
- Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table starlight . 2012q3 (Aug 28)
- Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table David Fifield (Sep 10)
  - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table David Fifield (Sep 10)
    - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table starlight . 2012q3 (Sep 10)
    - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table David Fifield (Sep 10)
  - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table starlight . 2012q3 (Sep 10)
    - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table David Fifield (Sep 10)
    - Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table starlight . 2012q3 (Sep 10)