Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nmap
From: David Fifield <david () bamsoftware com>
Date: Tue, 30 Jun 2009 13:38:09 -0600

On Tue, Jun 23, 2009 at 09:12:42AM -0400, William Gruitza wrote:
On Mon, Jun 22, 2009 at 02:07:33PM -0400, William Gruitza wrote:
I issued the command "nmap -sS -PN -e eth17 -S 192.168.1.1 10.10.10.1"
and this is the output:

"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-22 13:47 Eastern
Daylight Time
Nmap done: 1 IP address (0 hosts up) scanned in 0.70 seconds"

I don't see any packets being generated from the scan in wireshark. I'm
trying
to change the source IP address to test whether or not the IDS is logging
packets received on an interface with the source address of another
interface.
I don't know where I' missing something. Any feedback would be appreciated.

Add the --send-ip option to disable ARP ping scan. Try adding the
--packet-trace option to see what packets are being sent.

When you spoof the source address you won't see any Nmap results. That's
because response packets are sent to 192.168.1.1, not back to the host
running Nmap. See
http://nmap.org/book/man-bypass-firewalls-ids.html

It may be that something else on the network is filtering out these
bogus packets before Wireshark or the IDS can see them.
Even though you won't see Nmap results, you can do a full port scan with
the following command. It will send enough packets to the IDS for
testing.

I added the --send-ip option and nmap returns:
 
"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:05 Eastern
Daylight Time
WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows.
This probably won't work.  Consider --send-eth next time."

I'm sorry, I forgot that --send-ip won't work on Windows. Try
--unprivileged. The idea is to disable ARP ping scan. The problem, I
think, is that while 10.10.10.1 is directly connected, it's not
connected to the interface you've chosen. Nmap should probably disable
ARP ping automatically in that case.

Next, I removed the --send-ip option and added --send-eth and nmap returns:
 
"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:06 Eastern
Daylight Time
Nmap done: 1 IP address (0 hosts up) scanned in 3.38 seconds
Failed to resolve given hostname/IP: eth17.  Note that you can't use '/mask'
AND '1-4,7,100-' style IP ranges"
 
I don't think it's possible to change the source IP address in windows since
raw ip is not supported. Maybe the solution is to run nmap from linux or just
use a tool such as hping.

Yes, it's possible to change the source address, but this is a special
case. See if the --unprivileged option works. The error you got above
means that you made a syntax error in the command line. Make sure that
eth17 directly follows -e.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
  • Re: nmap David Fifield (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]