Nmap Development mailing list archives
Nmap under OpenVZ venet?
From: NStorm <nstorm0.0 () privatdemail net>
Date: Wed, 6 Mar 2013 09:11:55 +0400
Hello. tl;dr version: venet are NOARP device, but Nmap doesn't honors this. Long version: I've read a bits regarding the issues with venet devices on list archives (http://seclists.org/nmap-dev/2012/q2/808). Seems like there is no solution yet. I've tried this myself and got interesting results. Seems like if I run it from normal user it works fine: $ nmap -A -v host.domain Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-06 07:28 MSK NSE: Loaded 106 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 07:28 Scanning host.domain (X.X.X.X) [2 ports] Completed Ping Scan at 07:28, 1.36s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:28 Completed Parallel DNS resolution of 1 host. at 07:28, 0.05s elapsed Initiating Connect Scan at 07:28 Scanning host.domain (X.X.X.X) [1000 ports] Discovered open port 53/tcp on ... And scan completes as normal. But if I try to run the same thing, from same host just under root priveledges (either from sudo or directly from shell) it seems to go weird: Initiating ARP Ping Scan at 07:27 Scanning host.domain (X.X.X.X) [1 port] Completed ARP Ping Scan at 07:27, 0.42s elapsed (1 total hosts) Nmap scan report for host.domain (X.X.X.X) [host down] Why does it goes to ARP scan while the target host is clearly in different IP subnetwork? Probably this is somehow related that in fact venet are PtP IP- level device, it doesn't have MACs. But it works fine with normal user. If I add --disable-arp-ping or --send-ip under root it works too as expected. Digging into manual right now and I've found this: The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless -- send-ip was specified. So ok now I understand why it works from unpriviledged user by default, just because it can't do ARP ping. But it shouldn't try ARP ping on venet devices at all anyways. It doesn't have Layer 2. With so much popularity of OpenVZ virtualization around nowdays shouldn't nmap support venet by default? venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:X.X.X.X P-t-P:X.X.X.X Bcast:X.X.X.X Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 Its a NOARP devices. Nmap should honor this. _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap under OpenVZ venet? NStorm (Mar 05)
- Re: Nmap under OpenVZ venet? David Fifield (Mar 07)
- Re: Nmap under OpenVZ venet? NStorm (Mar 11)
- Re: Nmap under OpenVZ venet? David Fifield (Mar 07)