Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nmap target selection questions
From: Abuse007 <abuse007 () gmail com>
Date: Sun, 29 May 2011 17:33:17 +1000

Some of the addresses are multicast (e.g. 224.0.0.22) or broadcast (e.g. 255.255.255.255).  For outbound traffic nmap 
may be confused about which interface to use as the egress since it is ambiguous, by using the -e the ambiguity is 
removed. The MAC addresses are based off the IP address so ARP is not used.

For receiving multicast (considering 224.0.0.22) depending on the drivers, the interfaces may have to "subscribe" to 
the mcast otherwise they won't receive traffic destined to those addresses. I don't mean IGMP joins, as these are link 
local mcast addresses.

On 28/05/2011, at 2:45 PM, David Fifield <david () bamsoftware com> wrote:

On Tue, May 24, 2011 at 02:53:21PM -0700, Dexter Liu wrote:
Hi nmap-dev:

I'm not sure this if this is the best place to post this (so if there's a 
better place please point the way!). I'm trying to use nmap to scan a 
whole bunch of IPs I got from an arp call on Windows. So I'm running 
something like this:

C:\testing\nmap-5.21-win32\nmap-5.21\nmap.exe -sV -sS -sU -p 
T:22,T:23,T:80,T:135,T:139,T:445,T:235,T:61616,U:52311 -O --osscan-guess 
-T 4 -oX nmapoutput 192.168.104.1, 192.168.104.10, 192.168.104.31, 
192.168.104.51, 192.168.104.71, 192.168.104.86, 192.168.104.176, 
192.168.104.197, 192.168.104.234, 192.168.104.235, 192.168.105.18, 
192.168.105.27, 192.168.106.4, 192.168.107.140, 192.168.107.255, 
224.0.0.22, 224.0.0.252, 239.255.255.250, 255.255.255.255, 9.0.8.1, 
9.0.9.1, 9.6.96.153, 9.6.96.179, 9.7.2.18, 9.7.2.62, 9.8.33.67, 9.8.33.80, 
9.9.72.23, 9.12.178.42, 9.13.44.147, 9.13.44.148, 9.17.136.83, 
9.17.205.111, 9.17.205.112, 9.17.205.114, 9.17.205.115, 9.17.205.116, 
9.18.21.20, 9.18.24.55, 9.18.81.58, 9.18.96.68, 9.18.96.69, 9.23.139.100, 
9.23.139.101, 9.25.130.38, 9.44.50.80, 9.44.50.100, 9.44.50.102, 
9.44.50.104, 9.44.51.57, 9.45.114.169, 9.45.124.64, 9.51.48.10, 
9.51.48.18, 9.51.48.132, 9.56.8.13, 9.56.248.124, 9.56.252.115, 
9.56.252.116, 9.56.252.117, 9.56.252.118, 9.63.36.19, 9.63.40.12, 
9.65.61.255, 9.177.11.162, 9.177.11.173, 224.0.0.22, 224.0.0.252, 
239.255.255.250

nmap fails when at 244.0.0.22 with this error message: nexthost: Failed to 
determine dst MAC address for target 224.0.0.22 QUITTING!

I have a couple of questions:

-First is there a switch or option that lets me continue scanning the rest 
of the IPs even though nmap fails on a particular IP? If 244.0.0.22 was 
the first target I specified, I would have errored out at the beginning 
and gotten zero results

No. Ideally we would detect this as early in the scan as possible, so
you could at least remove those addresses right away and now have to
wait for a half-finished scan.

-Second if I specify specific network interfaces with -e (specifically 
lo0), 244.0.0.22 scans as well, but other IPs fail. Is there a way I can 
specify a pool of network interfaces nmap should use when doing scanning, 
so that if one interface fails it can try again on another?

No, sorry again. Currently the best you can do is split targets into
groups and run them in separate scans, with a different interface for
each. I don't think that a pool of interfaces is really what you want
here, though. If Nmap can't find the proper interface it would still
have trouble.

-Also I thought nmap was supposed to automatically figure out interfaces 
to run the scan on. It seems to work the large majority of the time. Why 
did I have to -e for some of them to get results? What are different about 
those IPs?

This likely depends on your specific routing table. Please send me the
output of
      nmap --iflist
Also, please try the latest version (5.51SVN) from
http://nmap.org/download.html#windows and see if the problem has already
been solved.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]