Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interfaces cannot be enumerated on pure IPv6 Linux #2416

nnposter opened this issue Dec 19, 2021 · 2 comments

Interfaces cannot be enumerated on pure IPv6 Linux #2416

nnposter opened this issue Dec 19, 2021 · 2 comments


Copy link

nnposter commented Dec 19, 2021

Interfaces cannot be enumerated on a Linux system (Ubuntu 18.04 tested) if it completely lacks IPv4 addresses (including the loopback):

$ ./nmap --iflist
Starting Nmap 7.92SVN ( ) at 2021-12-18 19:06 MST

As expected, a privileged scan will fail:

$ ./nmap -6 ::1
Starting Nmap 7.92SVN ( ) at 2021-12-18 19:08 MST
route_dst_netlink: can't find interface "lo"

Adding a single IPv4 address to any one of the interfaces is an effective workaround:

$ ip a add dev ens38
$ nmap --iflist
Starting Nmap 7.92SVN ( ) at 2021-12-18 19:11 MST
DEV   (SHORT) IP/MASK                      TYPE     UP MTU   MAC
ens38 (ens38)             ethernet up 1500  00:0C:29:D5:7E:57
ens38 (ens38) fe80::4eec:c4e9:392b:bb7d/64 ethernet up 1500  00:0C:29:D5:7E:57
ens33 (ens33) (none)/0                     ethernet up 1500  00:0C:29:D5:7E:4D
lo    (lo)    (none)/0                     loopback up 65536
lo    (lo)    ::1/128                      loopback up 65536

DST/MASK                      DEV   METRIC GATEWAY                ens38 0
::1/128                       lo    0
fe80::4eec:c4e9:392b:bb7d/128 ens38 0
::1/128                       lo    256
fe80::/64                     ens38 101
fe80::/64                     ens38 256
ff00::/8                      ens38 256

$ nmap -6 ::1
Starting Nmap 7.92SVN ( ) at 2021-12-18 19:11 MST
Nmap scan report for ip6-localhost (::1)
Host is up (0.0000040s latency).
Not shown: 999 closed tcp ports (reset)
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

The issue can be traced to a SIOCGIFCONF ioctl call in libdnet:

if (ioctl(intf->fd, SIOCGIFCONF, &intf->ifc) < 0) {

Specifically, the call succeeds but returns a zero-length array of ifreq structures, which is not altogether surprising. Quoting from the manpage for netdevice:

Return a list of interface (transport layer) addresses. This currently means only addresses of the AF_INET (IPv4) family for compatibility.

The zero-length array is rejected later in the code:

if (intf->ifc.ifc_len < (int)sizeof(*ifr)) {
errno = EINVAL;
return (-1);

I have not investigated what the best course of remediation could be.

Copy link

dmiller-nmap commented Jun 30, 2022

@nnposter Can you try this patch and see if it works?

diff --git a/libdnet-stripped/src/intf.c b/libdnet-stripped/src/intf.c
index 6180d85..d4faaeb 100644
--- a/libdnet-stripped/src/intf.c
+++ b/libdnet-stripped/src/intf.c
@@ -693,7 +693,7 @@ _intf_get_aliases(intf_t *intf, struct intf_entry *entry)
        struct addr *ap, *lap;
        char *p;

-       if (intf->ifc.ifc_len < (int)sizeof(*ifr)) {
+       if (intf->ifc.ifc_len < (int)sizeof(*ifr) && intf->ifc.ifc_len != 0) {
                errno = EINVAL;
                return (-1);

Copy link

nnposter commented Jul 3, 2022


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

2 participants