Nmap Development mailing list archives

Re: [Patch] Fixing the MAC address in Nmap's ARP discovery

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 28 May 2014 16:57:48 -0500

On Tue, May 27, 2014 at 3:09 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:

Hi All!

Nmap's ARP discovery uses the wrong MAC address in the target field of
ARP requests. It uses ff:ff:ff:ff:ff:ff instead of the 00:00:00:00:00:00
that all other IP stacks (Linux, Win) use. This allows people to
trivially discover Nmap scans on their network. This was reported by A
Brodskiy. Link: [1].


List,

I did some research on this, and I found that, although Linux and Windows
at least do set the target MAC address (ar$tha) to 00-00-00-00-00-00, this
is not a necessity of the protocol. RFC 826 (
https://tools.ietf.org/html/rfc826) has this to say:

It does not set ar$tha to anything in particular,
because it is this value that it is trying to determine.  It
could set ar$tha to the broadcast address for the hardware (all
ones in the case of the 10Mbit Ethernet) if that makes it
convenient for some aspect of the implementation.

The target hardware address is included for completeness and
network monitoring.  It has no meaning in the request form, since
it is this number that the machine is requesting.  Its meaning in
the reply form is the address of the machine making the request.
In some implementations (which do not get to look at the 14.byte
ethernet header, for example) this may save some register
shuffling or stack space by sending this field to the hardware
driver as the hardware destination address of the packet.


The Wireshark Wiki on Gratuitous ARP (
http://wiki.wireshark.org/Gratuitous_ARP) notes that Solaris sends ARP
requests with ar$tha set to ff-ff-ff-ff-ff-ff, which is the only suggested
value in the RFC.

In other words, there's no reason Nmap's implementation is "wrong" (and it
has certainly been working fine for years!), but this patch will make Nmap
conform to the way that currently-popular OSs do things. I've tested it and
find no problems, so if there are no objections, I will ask Jay to commit
the change.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[Patch] Fixing the MAC address in Nmap's ARP discovery Jay Bosamiya (May 27)
- Re: [Patch] Fixing the MAC address in Nmap's ARP discovery Daniel Miller (May 28)
  - Re: [Patch] Fixing the MAC address in Nmap's ARP discovery Jay Bosamiya (May 31)