Home page logo
/

nmap-dev logo Nmap Development mailing list archives

--spoof-mac didn't work for me
From: "Amit Khanna" <amit.khanna () nevisnetworks com>
Date: Mon, 6 Feb 2006 11:17:59 +0530

Hi,

 

This is the nmap version I am using

==========================

[root () tbfpga-host12 root]# nmap -v

 

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-06 10:39
IST

No target machines/networks specified!

QUITTING!

 

This is the mac of my interface

========================

 [root () tbfpga-host12 root]# ifconfig eth2 | grep HW

eth2      Link encap:Ethernet  HWaddr 00:0D:88:FC:ED:E1

 

This is how I run nmap

[root () tbfpga-host12 root]# nmap -sT -P0 --spoof-mac 00:11:22:33:44:55
11.10.5.1 -p 23 -e eth2

 

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-06 11:03
IST

Spoofing MAC address 00:11:22:33:44:55 (Cimsys)

Interesting ports on 11.10.5.1:

PORT   STATE SERVICE

23/tcp open  telnet

 

Nmap finished: 1 IP address (1 host up) scanned in 0.480 seconds

 

This is what I see on the interface

[root () tbfpga-host12 root]# tethereal -i eth2 -x

tethereal: Symbol `pcap_version' has different size in shared object,
consider re-linking

Capturing on eth2

  0.000000     50.1.4.2 -> 11.10.5.1    TCP 44963 > telnet [SYN]
Seq=4243116890 Ack=0 Win=5840 Len=0

 

0000  00 08 a1 7e 51 d6 00 0d 88 fc ed e1 08 00 45 00   ...~Q.........E.

0010  00 3c 8b 70 40 00 40 06 69 3e 32 01 04 02 0b 0a   .<.p ()  @.i>2.....

0020  05 01 af a3 00 17 fc e8 d3 5a 00 00 00 00 a0 02   .........Z......

0030  16 d0 11 74 00 00 02 04 05 b4 04 02 08 0a 01 8d   ...t............

0040  58 2a 00 00 00 00 01 03 03 00                     X*........

 

  0.000516    11.10.5.1 -> 50.1.4.2     TCP telnet > 44963 [SYN, ACK]
Seq=600908178 Ack=4243116891 Win=5792 Len=0

 

0000  00 0d 88 fc ed e1 00 08 a1 7e 51 d6 08 00 45 00   .........~Q...E.

0010  00 3c 00 00 40 00 40 06 f4 ae 0b 0a 05 01 32 01   .<.. ()  @.......2.

0020  04 02 00 17 af a3 23 d1 21 92 fc e8 d3 5b a0 12   ......#.!....[..

0030  16 a0 04 a4 00 00 02 04 05 b4 04 02 08 0a 1c ce   ................

0040  aa bd 01 8d 58 2a 01 03 03 00                     ....X*....

 

  0.000536     50.1.4.2 -> 11.10.5.1    TCP 44963 > telnet [ACK]
Seq=4243116891 Ack=600908179 Win=5840 Len=0

 

0000  00 08 a1 7e 51 d6 00 0d 88 fc ed e1 08 00 45 00   ...~Q.........E.

0010  00 34 8b 71 40 00 40 06 69 45 32 01 04 02 0b 0a   .4.q ()  @.iE2.....

0020  05 01 af a3 00 17 fc e8 d3 5b 23 d1 21 93 80 10   .........[#.!...

0030  16 d0 33 39 00 00 01 01 08 0a 01 8d 58 2a 1c ce   ..39........X*..

0040  aa bd                                             ..

 

  0.003644     50.1.4.2 -> 11.10.5.1    TCP 44963 > telnet [RST, ACK]
Seq=4243116891 Ack=600908179 Win=5840 Len=0

 

0000  00 08 a1 7e 51 d6 00 0d 88 fc ed e1 08 00 45 00   ...~Q.........E.

0010  00 34 8b 72 40 00 40 06 69 44 32 01 04 02 0b 0a   .4.r ()  @.iD2.....

0020  05 01 af a3 00 17 fc e8 d3 5b 23 d1 21 93 80 14   .........[#.!...

0030  16 d0 33 34 00 00 01 01 08 0a 01 8d 58 2b 1c ce   ..34........X+..

0040  aa bd                                             ..

 

The problem

==========

Nmap says that it is spoofing the MAC address but the packets I see on
the inteface have the original MAC and not the one that I had requested
Nmap to spoof.

 

What could be the problem? Am I missing something?

Please help.

 

Some more info

[root () tbfpga-host12 root]# uname -a

Linux tbfpga-host12 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686
i386 GNU/Linux

 

Thanks,

Amit Khanna

 



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
  • --spoof-mac didn't work for me Amit Khanna (Feb 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault