Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: FW: Zenmap from inside network
From: David Fifield <david () bamsoftware com>
Date: Wed, 22 Apr 2009 09:56:55 -0600

On Wed, Apr 22, 2009 at 10:47:39AM -0400, Joe DeMicco wrote:
Thanks for the fast response. It makes sense that if the source
address is not on the same network being scanned the replies won't
reach the host the scans are originating from. However, what is a bit
confusing is if the scanned host is on the same IP subnet as the host
originating the scans how can the replies come back. The layer two mac
address will be cached on the scanned server but when the replies come
back to the scanning machine and get passed from layer two to layer
three the ip address won't match and the packet will be dropped.

Usually the source address has to match one of the scanning machine's
external addresses in order for scanning to work. If you are running
with root privileges (promiscuous mode), then you can also use an
address on the same subnet, at least in a broadcast network. (I wasn't
sure that would work but I just tried and it does.)

I think there may still be a way to get this to work. What if I create
a secondary IP address to match the spoofed source address on the
scanning machine. My question is if there's a legitimate host on the
network with this spoofed secondary address will there be a conflict?

Right, that's the usual way to do it, but you have to make sure that the
packets from the target host will be routed back to the scanning host.
If you are testing firewall rules that make a distinction between
internal and external addresses, then you will want to use an external
source address, and and that will probably not be routed back to your
internal machine by default. If you want to see how the network looks
from the outside, the best thing to do is to scan it from the outside.

If you're using an internal address (same subnet), then yes, you should
not use an address that is already assigned to another host.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]