Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nmap not making arp requests to gateway (v7.70, Windows) #1661

Open
xrmon opened this issue Jul 16, 2019 · 3 comments

Comments

@xrmon
Copy link

commented Jul 16, 2019

I am connected to a the network 10.12.0.0/22 (10.10.12.0-10.10.15.255), on Windows via an OpenVPN connection. The network includes a gateway, 10.10.12.1, which provides access to the 10.10.10.0/24 network. The routing table displays this route when I run route print:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       10.10.10.0    255.255.255.0       10.10.12.1      10.10.14.49    281

When attempting a ping sweep on the 10.10.10.0/24 network with the command nmap -sn -PE 10.10.10.0/24, no live hosts are found. When examining the packets sent in Wireshark, every ICMP echo request is sent to the MAC address of 00:00:00:00:00:00. Based on my knowledge of networking (which may be incorrect), the MAC address of the gateway should be found based on an ARP request, and the ICMP packets should be sent to the gateway.

I can confirm that no such ARP request has been made by viewing the arp table with the command arp -a. There is no entry for the machine 10.10.12.1. However, if I manually ping the gateway using ping 10.10.12.1, or ping a host with ping 10.10.10.128, the address of the gateway is resolved via ARP and stored in the ARP table:

Interface: 10.10.14.49 --- 0x2
  Internet Address      Physical Address      Type
  10.10.12.1            00-ff-01-7c-45-7b     dynamic

Once the MAC address is resolved by manually pinging something, the nmap ping sweep works as expected. The problem is not affected by running nmap from an elavated command prompt.

@dmiller-nmap

This comment has been minimized.

Copy link

commented Jul 25, 2019

Thanks for the very interesting bug report! Please provide a couple additional details:

  1. Output of nmap --route-dst 10.10.10.1
  2. Output of nmap --iflist

Does scanning through a default gateway work correctly? In other words, does this appear to be limited to routes that use a specific gateway address for a specific network?

@dmiller-nmap

This comment has been minimized.

Copy link

commented Jul 25, 2019

Oh, I thought of a couple other important points:

  1. Does an older version of Nmap work correctly?
  2. Are there any unusual messages in the output like "Failed to determine dst MAC address for target"?
@xrmon

This comment has been minimized.

Copy link
Author

commented Jul 25, 2019

Here we go:

  1. nmap --route-dst 10.10.10.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-25 23:26 GMT Daylight Time
10.10.10.1
eth2 eth2 srcaddr 10.10.12.184 nexthop 10.10.12.1
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.26 seconds
  1. nmap --iflist
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-25 23:26 GMT Daylight Time
************************INTERFACES************************
DEV  (SHORT) IP/MASK                                 TYPE     UP MTU   MAC
eth0 (eth0)  fdb2:2c26:f4e4:0:7541:dc1a:daef:ec62/64 ethernet up 1500  00:1C:42:47:17:3A
eth0 (eth0)  fe80::7541:dc1a:daef:ec62/64            ethernet up 1500  00:1C:42:47:17:3A
eth0 (eth0)  10.211.55.13/24                         ethernet up 1500  00:1C:42:47:17:3A
eth1 (eth1)  fe80::f88f:f451:6b8e:e7d/64             ethernet up 1500  02:00:4C:4F:4F:50
eth1 (eth1)  169.254.14.125/16                       ethernet up 1500  02:00:4C:4F:4F:50
lo0  (lo0)   ::1/128                                 loopback up 65536
lo0  (lo0)   127.0.0.1/8                             loopback up 65536
eth2 (eth2)  dead:beef:2::10b6/64                    ethernet up 1500  00:FF:00:7C:45:7B
eth2 (eth2)  fe80::9070:4e62:4d00:59b7/64            ethernet up 1500  00:FF:00:7C:45:7B
eth2 (eth2)  10.10.12.184/22                         ethernet up 1500  00:FF:00:7C:45:7B

DEV    WINDEVICE
eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth1   \Device\NPF_{35A6F5BA-A592-4AE0-8EE9-FEA461F41F97}
eth1   \Device\NPF_{35A6F5BA-A592-4AE0-8EE9-FEA461F41F97}
lo0    \Device\NPF_{3F89AF32-2519-4FD7-AE36-F9C66CAD0FB1}
lo0    \Device\NPF_{3F89AF32-2519-4FD7-AE36-F9C66CAD0FB1}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
<none> \Device\NPF_{8163A71E-B312-4036-AFF9-999BED189405}
<none> \Device\NPF_{A6E0316D-2F08-47B9-8DD9-23C675B9D44F}
<none> \Device\NPF_{B28093CA-48A6-4A19-AB1E-82C37CC32FDC}

**************************ROUTES**************************
DST/MASK                                 DEV  METRIC GATEWAY
255.255.255.255/32                       eth1 281
169.254.14.125/32                        eth1 281
169.254.161.221/32                       lo0  281
10.10.12.184/32                          eth2 281
10.10.15.255/32                          eth2 281
255.255.255.255/32                       eth0 281
10.211.55.13/32                          eth0 281
10.211.55.255/32                         eth0 281
169.254.255.255/32                       lo0  281
255.255.255.255/32                       eth2 281
169.254.255.255/32                       eth1 281
255.255.255.255/32                       lo0  281
127.0.0.1/32                             lo0  331
127.255.255.255/32                       lo0  331
255.255.255.255/32                       eth0 331
10.10.10.0/24                            eth2 281    10.10.12.1
10.211.55.0/24                           eth0 281
10.10.12.0/22                            eth2 281
169.254.0.0/16                           lo0  281
169.254.0.0/16                           eth1 281
127.0.0.0/8                              lo0  331
224.0.0.0/4                              eth2 281
224.0.0.0/4                              lo0  281
224.0.0.0/4                              eth0 281
224.0.0.0/4                              eth1 281
224.0.0.0/4                              eth0 331
0.0.0.0/0                                eth0 25     10.211.55.1
fe80::f88f:f451:6b8e:e7d/128             eth1 281
fe80::7541:dc1a:daef:ec62/128            eth0 281
fdb2:2c26:f4e4:0:7541:dc1a:daef:ec62/128 eth0 281
fe80::9070:4e62:4d00:59b7/128            eth2 281
dead:beef:2::10b6/128                    eth2 281
fe80::c9d6:3b2b:a314:a1dd/128            lo0  281
::1/128                                  lo0  331
dead:beef:2::/64                         eth2 25     fe80::8
dead:beef::/64                           eth2 281    fe80::8
fe80::/64                                eth1 281
fdb2:2c26:f4e4::/64                      eth0 281
fe80::/64                                eth0 281
fe80::/64                                lo0  281
fe80::/64                                eth2 281
ff00::/8                                 eth0 281
ff00::/8                                 lo0  281
ff00::/8                                 eth1 281
ff00::/8                                 eth2 281
ff00::/8                                 eth0 331
::/0                                     eth0 281    fe80::21c:42ff:fe00:18

Scanning through the default gateway appears to work correctly.

  1. After going back through some old versions, versions 7.25BETA1 and later appear to display this issue. Versions 7.12 and earlier failed to detect the host at all, presumably to some long-fixed bug in those versions.

  2. No unusual messages are printed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.