Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add command line switch to set destination MAC address #1783

bka-dev opened this issue Oct 13, 2019 · 1 comment


Copy link

@bka-dev bka-dev commented Oct 13, 2019

Good afternoon,

while Nmap already allows to set a custom source MAC address via --spoof-mac, there is no command line switch available to set the destination MAC address.

This option might be useful when scanning multihomed devices, on which the target MAC address might not be the one which was derived by earlier ARP responses (or in cases there is no entry in the routing table pointing to the target network).

Since Nmap relies on the routing table of the operating system, the only way to perform such a scan is to manually set a route to the hidden network with the target MAC address as the gateway.

A separate command line switch like "--dst-mac <mac" or similar could help to speed this up. What are your thoughts?




This comment has been minimized.

Copy link

@dmiller-nmap dmiller-nmap commented Oct 23, 2019

This is an interesting idea, though we would want a solution that scales to multiple targets. As an example of another address mapping that allows local override, DNS names can be mapped to IP addresses in the hosts file, which Nmap consults prior to attempting reverse-DNS lookup. Forward lookups use the OS-specific mechanisms via getaddrinfo(), which usually similarly prefer /etc/hosts or equivalent.

Similarly, /etc/services maps service names to port numbers, but Nmap ships and uses its own nmap-services file to override the system-provided one. We don't currently do the same for MAC-to-IP mapping, but that could possibly be done.

The preferred solution at the moment is to manipulate the OS's ARP tables using tools like route or arp. Nmap can then use standard API calls to retrieve the addresses from these sources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.