Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: Re[2]: Re[2]: Nmap 6.47 works incorrectly in Solaris 10

From: Luong Nguyen <lucasart1989 () gmail com>
Date: Fri, 22 May 2015 19:40:23 +0300

Hi Dan,

MAC address of bge0 is  00:03:ba:18:59:5f

Regards,
Luong

Sent from myMail for iOS


Friday, May 22, 2015, 21:46 +0700 from Daniel Miller  <bonsaiviking () gmail com>:

Luong,

Now I see what is happening! It looks like Nmap is probably detecting the wrong MAC address for that interface. Your 
packet capture shows 2 different MAC addresses using the 192.168.89.34 address. First, there's  00:03:ba:18:59:5f (an 
Oracle OUI), then later you see the one that Nmap is using, 00:00:01:00:08:43 (a Xerox OUI). This Xerox address is 
also what Nmap showed in --iflist in an earlier message, so it looks like there might be a bug in libdnet. I will try 
to reproduce that on Solaris 10. Can you confirm that the Oracle MAC is the correct one? You can use "ifconfig bge0" 
to determine this.

Dan

On Fri, May 22, 2015 at 8:20 AM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

Dan,

I ran the snoop command first then ran the nmap command
I resend pcap packet as your request

bash-3.2# ./nmap -sn -n -d 192.168.89.10 --packet-trace

Starting Nmap 6.47 (  http://nmap.org ) at 2015-05-22 20:15 EDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating ARP Ping Scan at 20:15
Scanning 192.168.89.10 [1 port]
Packet capture filter (device bge0): arp and arp[18:4] = 0x00000100 and arp[22:2] = 0x0843
SENT (0.0391s) ARP who-has 192.168.89.10 tell 192.168.89.34
SENT (0.2392s) ARP who-has 192.168.89.10 tell 192.168.89.34
Completed ARP Ping Scan at 20:15, 0.42s elapsed (1 total hosts)
Overall sending rates: 4.80 packets / s, 201.74 bytes / s.
Nmap scan report for 192.168.89.10 [host down, received no-response]
Read from .: nmap-payloads.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.45 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
Regards,
Luong

2015-05-22 19:20 GMT+07:00 Daniel Miller  < bonsaiviking () gmail com > :

Luong,

Thanks, I got the file. Unfortunately, I don't see any traffic from your scanner's IP or MAC or the target's IP or 
MAC. Was the snoop running at the same time that you scanned? If you try again, please add the --packet-trace option 
to your Nmap command for more debugging detail.

Dan

On Thu, May 21, 2015 at 9:40 PM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

Hi Dan,

Please get attach file



2015-05-21 22:17 GMT-04:00 Daniel Miller  < bonsaiviking () gmail com > :


Luong,

I think the equivalent snoop command would be like this: snoop -r -d bge0 -o solaris-arp-bug.pcap arp

You'll have to run this in the background or in another terminal while you run Nmap, obviously.

Please CC the  dev () nmap org list in your replies so that other users can find this thread if they have the same 
problem, or so other devs can help if I am unavailable.

Dan


On Thu, May 21, 2015 at 8:45 PM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

Dan,

I cannot find tcpdump on solaris, could you share the snoop command?
Thanks,

Sent from myMail for iOS


Thursday, May 21, 2015, 23:55 +0700 from Daniel Miller  < bonsaiviking () gmail com >:


Luong,

Thanks, that's really useful information! I wonder if there's a routing problem for some reason, or if Nmap is 
picking the wrong interface? You can check this by doing:

nmap --route-dst 192.168.89.10

If this gives something you don't expect (like using the wrong interface or source address), then please send 
that and the output of 

nmap --iflist

along with what you think is wrong with the output.

Otherwise, there may be a problem with how we are capturing the ARP replies. Is there any way you can include a 
pcap of just the ARP traffic sent and received during a scan of one of the problem targets? This is how I would 
expect to do it, but you may need to change your commands based on what's available:

tcpdump -n -i bge0 -w solaris-arp-bug.pcap -- arp &
nmap -sn -n -d 192.168.89.10

Thanks!
Dan

On Thu, May 21, 2015 at 9:10 AM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

Hi Dan,
Nmap on solaris can only detect solaris hosts include both sparc and x86.
All hosts on same subnet include: nmap tool , vmware machines, PCs , router, L2/L3 switch...

I can ssh,ping and manage many hosts from solaris machine.

A good new for you. I used --send-ip option in the nmap command and it works correctly but i have a confuse the 
behavior of nmap on solaris is difference with linux and windows platforms.I do not need add --send-ip option.

Kind regards,
Luong Nguyen

Sent from myMail for iOS


Thursday, May 21, 2015, 20:33 +0700 from Daniel Miller  < bonsaiviking () gmail com >:


Luong,

Sorry about the long silence. I've filed this as a bug report on our tracker:  http://issues.nmap.org/124

One thing I notice about the output you gave me: The hosts that Solaris *is* able to detect all have Oracle or 
VMware OUIs (MAC address vendor), whereas the Linux scanner sees hosts with Cisco, HP, Dell, etc. Are these 
targets Solaris machines, too? If so, are any Solaris machines missed by the Solaris scanner?

Apart from Nmap, are you able to contact (ping, ssh, or anything) the missed hosts from the Solaris machine?

Thanks for any further details you can add.

Dan

On Thu, Apr 2, 2015 at 9:38 PM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

1. Output of nmap --version
bash-3.2# ./nmap -v

Starting Nmap 6.47 (  http://nmap.org ) at 2015-04-02 21:57 EDT
Read data files from: .
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.19 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)


2. Output of your command with -d
attach file

3. Can nmap find the missing hosts if scanning them individually? Like if 192.168.89.10 is shown in the Linux 
scan, on Solaris do: nmap -sn -d 192.168.89.10
attach file

4. Is there anything special or unique about your system or network? Are you running as root, or in a zone, 
or on a VM?
I run all command with root user
SunOS qipsun34 5.10 Generic_147147-26 sun4u sparc SUNW,Sun-Fire-V210
all hosts connected to a switch no firewall

5. Does the problem persist with the latest development tree in subversion? svn co  https://svn.nmap.org/nmap
Yes

Thanks,
Luong Nguyen

2015-04-02 15:28 GMT-04:00 Daniel Miller  < bonsaiviking () gmail com > :


Luong,

Thanks for bringing this up. We have several fixes in our development source tree for issues on Solaris, but 
none with the symptom you described. Can you provide some more information so we can debug?

1. Output of nmap --version

2. Output of your command with -d

3. Can nmap find the missing hosts if scanning them individually? Like if 192.168.89.10 is shown in the 
Linux scan, on Solaris do: nmap -sn -d 192.168.89.10

4. Is there anything special or unique about your system or network? Are you running as root, or in a zone, 
or on a VM?

5. Does the problem persist with the latest development tree in subversion? svn co  https://svn.nmap.org/nmap

Thanks,
Dan

On Thu, Apr 2, 2015 at 12:10 PM, Luong Nguyen  < lucasart1989 () gmail com > wrote:

Hi Dev,

I using nmap6.47 for testing in Solaris 10. 
Run command: nmap -sP  192.168.89.0/24
But it only detect 4 hosts up on my subnet
On Linux, nmap detects 60 hosts up on same subnet.

Could you please help to check this issue?

Thanks,
Luong Nguyen.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at  http://seclists.org/nmap-dev/



















_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: