Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: MAC replies

RE: MAC replies

From: Alex R <alex_at_deviousmeans.net>
Date: Tue, 19 Oct 2004 16:40:47 +0200

It would only work for LAN port scans. When a frame hits a router the router
strips off the Ethernet frame and then adds its own Ethernet frame matching
the MAC address. So when you get a frame back its source MAC address is from
your router. Nmap only shows MAC addresses of computers on your network
segment.

-----Original Message-----
From: mark_at_lachniet.com [mailto:mark_at_lachniet.com]
Sent: Tuesday, October 19, 2004 3:57 PM
To: Adam Jacob Muller
Cc: nmap-dev_at_insecure.org
Subject: Re: MAC replies

In a strange (but probably RARE on a LAN) case, you could have a firewall
or other device proxy-arp'ing for its NAT service or some kind of proxy,
when in fact the host on the other side of the device is actually down.
So that would be a false positive. I could see this happening if you were
portscanning, say, a DMZ from an inside network, or vice versa.

This isn't a particularly important hole in your theory, though, since
what you are describing would work pretty well for a LAN portscan in most
cases.

Mark Lachniet

> Now that nmap has the ability to log MAC addresses does it use the fact
> that it got an arp reply to establish that the host is in fact up, my
> idea here basically is that an ARP reply is basically the only sure way
> to determine if a host is up or not, if you don't get one, then that
> host must be down, if you do in 99.99% of cases it is up (feel free to
> correct me), so does, or should nmap use a positive ARP reply to say
> that the host is up?
> On top of that, ARP replies are also much faster than scanning all
> ports on closed hosts (-P0).
>
>
>
> Adam
>
>
> Where is it written in the Constitution, in what article or section is
> it contained, that you may take children from their parents and parents
> from their children, and compel them to fight the battles of any war in
> which the folly and wickedness of the government may engage itself?
> Under what concealment has this power lain hidden, which now for the
> first time comes forth, with a tremendous and baleful aspect, to
> trample down and destroy the dearest right of personal liberty? Who
> will show me any Constitutional injunction which makes it the duty of
> the American people to surrender everything valuable in life, and even
> life, itself, whenever the purposes of an ambitious and mischievous
> government may require it? . . . A free government with an uncontrolled
> power of military conscription is the most ridiculous and abominable
> contradiction and nonsense that ever entered into the heads of men.
> -Daniel Webster
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help@insecure.org . List archive: http://seclists.org
>
>

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help@insecure.org . List archive: http://seclists.org

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help@insecure.org . List archive: http://seclists.org
Received on Oct 19 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos