Nmap Development mailing list archives

Re: Issue with nmap identifying aliased interfaces

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 14 Dec 2013 07:42:13 -0600

I can confirm this on Linux Mint. At least one problem seems to be the
use of the /proc/net/dev file for gathering interfaces, since that
file doesn't show aliases. I don't have time to debug more, but I will
try to help as time permits.

Dan

On Fri, Dec 13, 2013 at 11:56 AM, Donovan Lampa <donovan.lampa () gmail com> wrote:

Hey all,

In nmap 6.40, I'm having some issues with nmap being able to identify
aliased interfaces correctly.

On Centos5 I have an alias interface configured:
[root@localhost nmap-6.40-install]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:DD:6A:5E
          inet addr:172.16.209.139  Bcast:172.16.209.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:98468 errors:0 dropped:0 overruns:0 frame:0
          TX packets:85230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46335310 (44.1 MiB)  TX bytes:6116459 (5.8 MiB)

eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:DD:6A:5E
          inet addr:172.16.209.140  Bcast:172.16.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2169 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2333206 (2.2 MiB)  TX bytes:2333206 (2.2 MiB)

Nmap seems to identify it as a primary interface instead of an alias even
though it has the same mac address. It just seems to truncate the ':0'

[root@localhost nmap-6.40-install]# bin/nmap --iflist

Starting Nmap 6.40 ( http://nmap.org ) at 2013-12-13 11:50 CST
************************INTERFACES************************
DEV  (SHORT) IP/MASK           TYPE     UP MTU   MAC
lo   (lo)    127.0.0.1/8       loopback up 16436
eth0 (eth0)  172.16.209.139/24 ethernet up 1500  00:0C:29:DD:6A:5E
eth0 (eth0)  172.16.209.140/16 ethernet up 1500  00:0C:29:DD:6A:5E

**************************ROUTES**************************
DST/MASK        DEV  METRIC GATEWAY
172.16.209.0/24 eth0 0
172.16.0.0/16   eth0 0
169.254.0.0/16  eth0 0
0.0.0.0/0       eth0 0      172.16.209.2

This has some undesirable results when specifying the interface and source
address for specific types of scans

[root@localhost nmap-6.40-install]# bin/nmap -e eth0:0 -S 172.16.209.140
10.70.244.44
WARNING: If -S is being used to fake your source address, you may also have
to use -e <interface> and -Pn .  If you are using it to specify your real
source address, you can ignore this warning.

Starting Nmap 6.40 ( http://nmap.org ) at 2013-12-13 11:54 CST
Could not find interface eth0:0 which was specified by -e

Earlier versions of nmap (i.e. the one provided by Centos Base) don't seem
to have this issue.

[root@localhost nmap-6.40-install]# nmap --iflist

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-12-13 11:51 CST
************************INTERFACES************************
DEV    (SHORT) IP/MASK           TYPE     UP MAC
lo     (lo)    127.0.0.1/8       loopback up
eth0   (eth0)  172.16.209.139/24 ethernet up 00:0C:29:DD:6A:5E
eth0:0 (eth0)  172.16.209.140/16 ethernet up 00:0C:29:DD:6A:5E

**************************ROUTES**************************
DST/MASK       DEV  GATEWAY
172.16.209.0/0 eth0
172.16.0.0/0   eth0
169.254.0.0/0  eth0
0.0.0.0/0      eth0 172.16.209.2

[root@localhost nmap-6.40-install]# nmap -e eth0:0 -S 172.16.209.140
10.70.244.44
WARNING:  If -S is being used to fake your source address, you may also
have to use -e <interface> and -P0 .  If you are using it to specify your
real source address, you can ignore this warning.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-12-13 11:55 CST
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth
Scan
SYN Stealth Scan Timing: About 85.87% done; ETC: 11:55 (0:00:01 remaining)
Interesting ports on scantest-centos5-01.tw-test.net (10.70.244.44):
Not shown: 1678 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap finished: 1 IP address (1 host up) scanned in 13.911 seconds

I think I've tracked it down to the collect_dnet_interfaces loop in
libnetutil/netutil.cc but I'm kind of stumped there. Am I missing
something? Doing something wrong? Any thoughts?

-Donovan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Issue with nmap identifying aliased interfaces Donovan Lampa (Dec 13)
- Re: Issue with nmap identifying aliased interfaces Daniel Miller (Dec 14)
  - Re: Issue with nmap identifying aliased interfaces Donovan Lampa (Dec 17)