Nmap '-e' switch not always use the specyfied interface.

[cloudziu]

Hello everyone

The case

Topology:

+--------------------------+   ETH0
|                          |   NETWORKS 192.168.X.X/16  (NO 10.X.X.X/8 CIDR)
|  HOST A   +----+         +--+
|           |nmap+---------------->
|           +----+         +--+
|                          |
|                          |
|                          |
|                          |
|                          |
|                          |    ETH1
|                          +--+ NETWORKS 10.1.93.X/24
|                          |  |
|                          +--+
+--------------------------+

From host A I want to regularly scan for addresses within every private CIDR at eth0, by using nmap -e param.

• 10.0.0.0/8
• 172.16.0.0/16
• 192.168.0.0/16

BUT not the hosts from eth1
To ensure that this is working correctly, I intentionally configured a script that will search for CIDR from eth1 ( 10.1.93.0/24 ), but enforce nmap to use eth0. It is executed every 10 minutes.
nmap command:

sudo nmap -sT -O -T4 --script smb-os-discovery.nse --dns-servers 192.168.2.1 -e eth0 -oX - 10.1.93.0/24

Script was running for last two weeks. Every nmap result showed

Total: 256
Up: 0
Down: 256 

except one... That perfectly scanned endpoints from "eth0"

The worst part is that I have no idea what caused it. I was searching for something abnormal in Linux logs, and found nothing.
I can't reproduce this in any way. Can ARP generated by nmap somehow ignore the -e param ?

thank you in advance

[dmiller-nmap]

Thanks for this report. It is possible that -sT is not compatible with the -e option, but I haven't checked. Can you please provide the output of the following commands so we can better diagnose?

• nmap --version
• nmap -e eth0 --route-dst 10.1.93.1

[cloudziu]

Hello @dmiller-nmap, thank you for your willingness to help ! !

# nmap --version
  Nmap version 7.70 ( https://nmap.org )
  Platform: x86_64-pc-linux-gnu
  Compiled with: liblua-5.3.3 openssl-1.1.1d libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
  Compiled without:
  Available nsock engines: epoll poll select


# nmap -e eth0 --route-dst 10.1.93.2   (10.1.93.2 is eht1 interface addr, so it could give false-positives, routing on loopback interface) 
  Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 06:38 UTC
  10.1.93.2
  eth0 eth0 srcaddr 192.168.2.179 nexthop 192.168.2.1
  WARNING: No targets were specified, so 0 hosts scanned.
  Nmap done: 0 IP addresses (0 hosts up) scanned in 0.38 seconds

Additionally:

# nmap --route-dst 10.1.93.10
  Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-18 06:48 UTC
  10.1.93.10
  eth1 eth1 srcaddr 10.1.93.1 direct
  WARNING: No targets were specified, so 0 hosts scanned.
  Nmap done: 0 IP addresses (0 hosts up) scanned in 0.36 seconds

Like I said earlier, one of a thousand runs gives results from eth1. I'm not even sure if this is nmap problem, or there is SOMETHING in the environment that causes it. I will appreciate every hint !