Re: Issue with nmap identifying aliased interfaces

[Donovan Lampa <donovan.lampa () gmail com>]

Hey all,

Just wanted to see if there was any timeframe for a fix on this? The patch
I've put together essentially disables IPv6 support on linux platforms
(which of course isn't desirable) since it essentially re-implements the
behavior that existed before the functionality was broken.

Otherwise, I'll try to spend more time on fixing this correctly, but I have
no idea when I would feel comfortable enough to fully contribute to the
codebase. Let me know if there's anything I can do to help or if you have
any pointers on how to best get into the codebase.

-Donovan

On Fri, Dec 20, 2013 at 4:33 PM, Donovan Lampa <donovan.lampa () gmail com>wrote:

> I've done some more work on this and have been able to trace this down to
> r23778
>
> It looks like it's caused by the removal of getinterfaces_siocgifconf in
> libnetutil/netutil.cc and the calling of that function for non win32
> platforms.
>
> Can someone explain the reason behind removing this function? Would it be
> a sensible fix to add it back in for linux platforms to restore this alias
> interface detection functionality? If it is sensible, I could probably put
> a patch together.
>
> -Donovan
>
>
>
>
> On Tue, Dec 17, 2013 at 9:26 AM, Donovan Lampa <donovan.lampa () gmail com>wrote:
>
> > Understandable. I appreciate your time.
> >
> > I realize everyone's busy, but in your (or others') opinion, how complex
> > of a fix does this look like? How much time do you think it would take to
> > get a patch together if someone familiar with the codebase put one together?
> >
> > If possible, I'd like to help out and get this fixed, and I think I'm
> > looking in the right place so far (maybe we can take this off-list as well
> > from here if necessary), but would you or someone on this list be able to
> > point me in the right direction to get started on a fix? Maybe I can get a
> > patch together in a reasonable amount of time... Maybe.
> >
> > In any case, any guidance would be appreciated.
> >
> > -Donovan
> >
> >
> >
> > On Sat, Dec 14, 2013 at 7:42 AM, Daniel Miller <bonsaiviking () gmail com>wrote:
> >
> > > I can confirm this on Linux Mint. At least one problem seems to be the
> > > use of the /proc/net/dev file for gathering interfaces, since that
> > > file doesn't show aliases. I don't have time to debug more, but I will
> > > try to help as time permits.
> > >
> > > Dan
> > >
> > > On Fri, Dec 13, 2013 at 11:56 AM, Donovan Lampa <donovan.lampa () gmail com>
> > > wrote:
> > > > Hey all,
> > > >
> > > > In nmap 6.40, I'm having some issues with nmap being able to identify
> > > > aliased interfaces correctly.
> > > >
> > > > On Centos5 I have an alias interface configured:
> > > > [root@localhost nmap-6.40-install]# /sbin/ifconfig
> > > > eth0      Link encap:Ethernet  HWaddr 00:0C:29:DD:6A:5E
> > > >           inet addr:172.16.209.139  Bcast:172.16.209.255
> > >  Mask:255.255.255.0
> > > >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > > >           RX packets:98468 errors:0 dropped:0 overruns:0 frame:0
> > > >           TX packets:85230 errors:0 dropped:0 overruns:0 carrier:0
> > > >           collisions:0 txqueuelen:1000
> > > >           RX bytes:46335310 (44.1 MiB)  TX bytes:6116459 (5.8 MiB)
> > > >
> > > > eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:DD:6A:5E
> > > >           inet addr:172.16.209.140  Bcast:172.16.255.255
> > >  Mask:255.255.0.0
> > > >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > > >
> > > > lo        Link encap:Local Loopback
> > > >           inet addr:127.0.0.1  Mask:255.0.0.0
> > > >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
> > > >           RX packets:2169 errors:0 dropped:0 overruns:0 frame:0
> > > >           TX packets:2169 errors:0 dropped:0 overruns:0 carrier:0
> > > >           collisions:0 txqueuelen:0
> > > >           RX bytes:2333206 (2.2 MiB)  TX bytes:2333206 (2.2 MiB)
> > > >
> > > > Nmap seems to identify it as a primary interface instead of an alias
> > > even
> > > > though it has the same mac address. It just seems to truncate the ':0'
> > > >
> > > > [root@localhost nmap-6.40-install]# bin/nmap --iflist
> > > >
> > > > Starting Nmap 6.40 ( http://nmap.org ) at 2013-12-13 11:50 CST
> > > > ************************INTERFACES************************
> > > > DEV  (SHORT) IP/MASK           TYPE     UP MTU   MAC
> > > > lo   (lo)    127.0.0.1/8       loopback up 16436
> > > > eth0 (eth0)  172.16.209.139/24 ethernet up 1500  00:0C:29:DD:6A:5E
> > > > eth0 (eth0)  172.16.209.140/16 ethernet up 1500  00:0C:29:DD:6A:5E
> > > >
> > > > **************************ROUTES**************************
> > > > DST/MASK        DEV  METRIC GATEWAY
> > > > 172.16.209.0/24 eth0 0
> > > > 172.16.0.0/16   eth0 0
> > > > 169.254.0.0/16  eth0 0
> > > > 0.0.0.0/0       eth0 0      172.16.209.2
> > > >
> > > > This has some undesirable results when specifying the interface and
> > > source
> > > > address for specific types of scans
> > > >
> > > > [root@localhost nmap-6.40-install]# bin/nmap -e eth0:0 -S
> > > 172.16.209.140
> > > > 10.70.244.44
> > > > WARNING: If -S is being used to fake your source address, you may also
> > > have
> > > > to use -e <interface> and -Pn .  If you are using it to specify your
> > > real
> > > > source address, you can ignore this warning.
> > > >
> > > > Starting Nmap 6.40 ( http://nmap.org ) at 2013-12-13 11:54 CST
> > > > Could not find interface eth0:0 which was specified by -e
> > > >
> > > > Earlier versions of nmap (i.e. the one provided by Centos Base) don't
> > > seem
> > > > to have this issue.
> > > >
> > > > [root@localhost nmap-6.40-install]# nmap --iflist
> > > >
> > > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-12-13
> > > 11:51 CST
> > > > ************************INTERFACES************************
> > > > DEV    (SHORT) IP/MASK           TYPE     UP MAC
> > > > lo     (lo)    127.0.0.1/8       loopback up
> > > > eth0   (eth0)  172.16.209.139/24 ethernet up 00:0C:29:DD:6A:5E
> > > > eth0:0 (eth0)  172.16.209.140/16 ethernet up 00:0C:29:DD:6A:5E
> > > >
> > > > **************************ROUTES**************************
> > > > DST/MASK       DEV  GATEWAY
> > > > 172.16.209.0/0 eth0
> > > > 172.16.0.0/0   eth0
> > > > 169.254.0.0/0  eth0
> > > > 0.0.0.0/0      eth0 172.16.209.2
> > > >
> > > > [root@localhost nmap-6.40-install]# nmap -e eth0:0 -S 172.16.209.140
> > > > 10.70.244.44
> > > > WARNING:  If -S is being used to fake your source address, you may also
> > > > have to use -e <interface> and -P0 .  If you are using it to specify
> > > your
> > > > real source address, you can ignore this warning.
> > > >
> > > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-12-13
> > > 11:55 CST
> > > > Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
> > > Stealth
> > > > Scan
> > > > SYN Stealth Scan Timing: About 85.87% done; ETC: 11:55 (0:00:01
> > > remaining)
> > > > Interesting ports on scantest-centos5-01.tw-test.net (10.70.244.44):
> > > > Not shown: 1678 closed ports
> > > > PORT   STATE SERVICE
> > > > 22/tcp open  ssh
> > > > 80/tcp open  http
> > > >
> > > > Nmap finished: 1 IP address (1 host up) scanned in 13.911 seconds
> > > >
> > > > I think I've tracked it down to the collect_dnet_interfaces loop in
> > > > libnetutil/netutil.cc but I'm kind of stumped there. Am I missing
> > > > something? Doing something wrong? Any thoughts?
> > > >
> > > > -Donovan
> > > > _______________________________________________
> > > > Sent through the dev mailing list
> > > > http://nmap.org/mailman/listinfo/dev
> > > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/