Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Problems with nmap, raw packets, and PPPoE

Problems with nmap, raw packets, and PPPoE

From: Damian Gerow <dgerow_at_afflictions.org>
Date: Tue, 11 Apr 2006 16:34:44 -0400

I've just installed an OpenBSD snaphot from yesterday, and I've run into a
bit of an issue using nmap to scan anything over the PPPoE link when raw
packets are required (i.e. SYN scan, OS fingerprinting):

    # nmap -sS -P0 -p 80,81 192.168.0.1

    Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-04-11 16:18 EDT
    WARNING: Unable to find appropriate interface for system route to 0.0.0.1

    WARNING: Unable to find appropriate interface for system route to 0.0.0.0

    nexthost: failed to determine route to 192.168.0.1
    QUITTING!
    # nmap -sT -P0 -p 80,81 -O 192.168.0.1

    Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-04-11 16:23
    EDT
    WARNING: Unable to find appropriate interface for system route to
    0.0.0.1

    WARNING: Unable to find appropriate interface for system route to
    0.0.0.0

    nexthost: failed to determine route to 192.168.0.1
    QUITTING!
    #

I'm going to go out on a limb and guess it's because the system default route
is 0.0.0.1, and nmap's logic to find the associated interface fails.

I've tried specifying an interface to no avail:

    # nmap -sT -P0 -p 80,81 -O -e pppoe0 192.168.0.1

    Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-04-11 16:28 EDT
    WARNING: Unable to find appropriate interface for system route to 0.0.0.1

    WARNING: Unable to find appropriate interface for system route to 0.0.0.0

    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    sendto in send_ip_packet: sendto(4, packet, 60, 0, 192.168.0.1, 16) =>
    No route to host
    Sleeping 15 seconds then retrying
    sendto in send_ip_packet: sendto(4, packet, 60, 0, 192.168.0.1, 16) =>
    No route to host
    Sleeping 60 seconds then retrying
    caught SIGINT signal, cleaning up
    #

(Yes, I can manually connect to port 80 on the host in question.)

And finally, here's the output of --iflist:

    # nmap --iflist

    Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-04-11 16:30 EDT
    ************************INTERFACES************************
    DEV (SHORT) IP/MASK TYPE UP MAC
    lo0 (lo0) 127.0.0.1/8 loopback up
    vr0 (vr0) 10.0.0.1/30 ethernet up 00:50:BA:E8:08:B5
    fxp0 (fxp0) 172.19.206.8/24 ethernet up 00:80:5F:F7:45:53
    ral0 (ral0) 192.168.132.8/24 ethernet up 00:12:17:85:9A:3B
    fxp1 (fxp1) 10.9.22.8/24 ethernet up 00:D0:B7:23:65:34
    pppoe0 (pppoe0) 64.7.134.90/32 point2point up

    WARNING: Unable to find appropriate interface for system route to 0.0.0.1

    WARNING: Unable to find appropriate interface for system route to 0.0.0.0

    **************************ROUTES**************************
    DST/MASK DEV GATEWAY
    127.0.0.1/32 lo0 127.0.0.1
    127.0.0.0/0 lo0 127.0.0.1
    224.0.0.0/0 lo0 127.0.0.1

    #

Is this a known issue right now? Should I be chasing this down with
OpenBSD?

(Please Cc: me in responses; I don't (yet) subscribe to -dev@.)

  - Damian

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Apr 11 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos