mailing list archives
From: David Fifield <david () bamsoftware com>
Date: Tue, 30 Jun 2009 13:38:09 -0600
On Tue, Jun 23, 2009 at 09:12:42AM -0400, William Gruitza wrote:
On Mon, Jun 22, 2009 at 02:07:33PM -0400, William Gruitza wrote:
I issued the command "nmap -sS -PN -e eth17 -S 192.168.1.1 10.10.10.1"
and this is the output:
"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-22 13:47 Eastern
Nmap done: 1 IP address (0 hosts up) scanned in 0.70 seconds"
I don't see any packets being generated from the scan in wireshark. I'm
to change the source IP address to test whether or not the IDS is logging
packets received on an interface with the source address of another
I don't know where I' missing something. Any feedback would be appreciated.
Add the --send-ip option to disable ARP ping scan. Try adding the
--packet-trace option to see what packets are being sent.
When you spoof the source address you won't see any Nmap results. That's
because response packets are sent to 192.168.1.1, not back to the host
running Nmap. See
It may be that something else on the network is filtering out these
bogus packets before Wireshark or the IDS can see them.
Even though you won't see Nmap results, you can do a full port scan with
the following command. It will send enough packets to the IDS for
I added the --send-ip option and nmap returns:
"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:05 Eastern
WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows.
This probably won't work. Consider --send-eth next time."
I'm sorry, I forgot that --send-ip won't work on Windows. Try
--unprivileged. The idea is to disable ARP ping scan. The problem, I
think, is that while 10.10.10.1 is directly connected, it's not
connected to the interface you've chosen. Nmap should probably disable
ARP ping automatically in that case.
Next, I removed the --send-ip option and added --send-eth and nmap returns:
"Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-23 09:06 Eastern
Nmap done: 1 IP address (0 hosts up) scanned in 3.38 seconds
Failed to resolve given hostname/IP: eth17. Note that you can't use '/mask'
AND '1-4,7,100-' style IP ranges"
I don't think it's possible to change the source IP address in windows since
raw ip is not supported. Maybe the solution is to run nmap from linux or just
use a tool such as hping.
Yes, it's possible to change the source address, but this is a special
case. See if the --unprivileged option works. The error you got above
means that you made a syntax error in the command line. Make sure that
eth17 directly follows -e.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
- Re: nmap David Fifield (Jun 30)