Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nmap vs multiple IP address on one NIC
From: David Fifield <david () bamsoftware com>
Date: Mon, 19 Nov 2007 23:25:06 -0700

On Wed, Oct 31, 2007 at 09:41:27AM +0300, preacherandrew () mail ru wrote:
On Tue, Oct 23, 2007, Fyodor wrote:
On Fri, Oct 19, 2007 at 04:36:45PM +0400, preacherandrew () mail ru wrote:
Hi, Fyodor.

My config:
Windows 2000; one NIC; in TCP/IP properties set multiple IP addresses

Hi Andrew.  Thanks for your report.  Maybe we need to move tne
entry->>intf_len assignment.  Would you please email your report to
nmap-dev () insecure org so that more people have a chance to look at it?

Thanks,
-F
Hi Fyodor. I have send my report to nmap-dev () insecure org  But may be
problem is wider. I try to fix the problem moving
memset(entry, 0, sizeof(*entry));
from "_ifrow_to_entry" function and code fragment "set aliases" is
executed. But this fix don't help me in my case ("multiple IP addresses on one
network card").
Point is that nmap use only one from addresses
returned by GetIpAddrTable. Becase that nmap's rerults may be inadequate.

For example:
host has two IP adresses on one network card -
192.168.160.12/24 and 192.168.2.3/24. Default router - 192.168.160.254.
1) I run "nmap --iflist".
2) GetIpAddrTable returns addresses is such order: 192.168.2.3,
192.168.160.12.
2) Nmap take into account only first address returned by GetIpAddrTable- 192.168.2.3.
3) Then nmap try verify default router using this address
(192.168.2.3). This results "WARNING: Unable to find appropriate interface for system
route to 192.168.160.254" (more precisely lot such warnings - for
almost each entry in "route print"). In reality, default router is ok - it is
reachable from host's other address (192.168.160.12), but nmap doesn't take
into account other address.

Thanks for the detailed report. Can you try the attached patch?

I don't know too much about Windows networking. I set up a Windows XP
computer with two IP addresses on different subnets on the same NIC.
This is what nmap --iflist displays with the patch:

Starting Nmap 4.23RC2 ( http://insecure.org ) at 2007-11-19 23:16 Pacific Standard Time
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
eth0 (eth0)  192.168.1.202/24 ethernet up 00:D0:59:B7:66:0B
eth0 (eth0)  192.168.0.203/24 ethernet up 00:D0:59:B7:66:0B
lo0  (lo0)   127.0.0.1/8      loopback up

DEV  WINDEVICE
eth0 \Device\NPF_{FBA5E85C-7959-4351-8D7A-09F319B090A7}
lo0  \Device\NPF_GenericDialupAdapter

**************************ROUTES**************************
DST/MASK           DEV  GATEWAY
192.168.1.255/32   eth0 192.168.1.202
192.168.1.202/32   lo0  127.0.0.1
192.168.0.203/32   lo0  127.0.0.1
192.168.0.255/32   eth0 192.168.0.203
255.255.255.255/32 eth0 192.168.1.202
192.168.1.0/0      eth0 192.168.1.202
192.168.0.0/0      eth0 192.168.0.203
127.0.0.0/0        lo0  127.0.0.1
224.0.0.0/0        eth0 192.168.1.202
0.0.0.0/0          eth0 192.168.0.1

Is it weird to have both interfaces called "eth0" even though one is an
alias of the other? This matches what happens on Linux except that Linux
provides suffixed names like eth0:1. Anyway this patch makes port scans
on either subnet work for me.

Gianluca, can you try this patch too? There's a slight chance that it
will have an effect on the problem you've observed in
http://seclists.org/nmap-dev/2007/q4/0290.html.

David Fifield

Attachment: intf-win.diff
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]