Nmap Development mailing list archives
Technique for scanning localhost on at least Windows XP machines
From: kx <kxmail () gmail com>
Date: Wed, 8 Mar 2006 18:12:26 -0500
Thought some people might like this, sorry if this is old news. However, the -S option has only been working on Windows in recent nmap versions since November 05, so this might be new to some. This was done using nmap 4.01 and a fully patch Windows XP box. Basically, thanks to nmap's send-eth and ARP stack, we can use a packet purgatory like technique. http://www.synacklabs.net/projects/packetp/ We spoof as an unused IP address on our target's subnet, and nmap will determine that since our target is directly connected, there is no need to route. We must specify localhost as a real IP (like 192.168.1.100), not 127.*.*.*. Nmap will actually route this (it went to my default gateway), but no one will answer. Because the Windows stack is not involved in the TCP/IP and ARP handling, everything just works, and the packets travel freely over our subnet. Below are a few example scans. The port 80 and 443 that were open was Skype on my localhost. This also works when scanning your whole subnet, example below. Hope people have fun with this. Cheers, kx
nmap -sS -p80 -P0 192.168.1.100 -packet_trace -n -S 192.168.1.108 -e eth0
Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-03-08 17:21 Eastern Standard Time SENT (0.3910s) ARP who-has 192.168.1.100 tell 192.168.1.108 RCVD (0.3910s) ARP reply 192.168.1.100 is-at 00:4F:4E:14:21:5C SENT (0.5000s) TCP 192.168.1.108:33685 > 192.168.1.100:80 S ttl=59 id=31303 iplen=44 seq=1831741960 win=4096 RCVD (0.5000s) TCP 192.168.1.100:80 > 192.168.1.108:33685 SA ttl=128 id=64462 iplen=44 seq=1309544532 win=-1 ack=1831741961 Interesting ports on 192.168.1.100: PORT STATE SERVICE 80/tcp open http MAC Address: 00:4F:4E:14:21:5C (Unknown) Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds And another:
nmap -sS -P0 192.168.1.100 -packet_trace -n -S 192.168.1.108 -e eth0
<snip> Interesting ports on 192.168.1.100: (The 1670 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:4F:4E:14:21:5C (Unknown) Final times for host: srtt: 30714 rttvar: 36148 to: 175306 Nmap finished: 1 IP address (1 host up) scanned in 30.078 seconds
nmap -sS -p80 -P0 192.168.1.1/24 -packet_trace -n -S 192.168.1.108 -e eth0
<snip> Interesting ports on 192.168.1.1: PORT STATE SERVICE 80/tcp open http MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group) Interesting ports on 192.168.1.100: PORT STATE SERVICE 80/tcp open http MAC Address: 00:4F:4E:14:21:5C (Unknown) Interesting ports on 192.168.1.102: PORT STATE SERVICE 80/tcp closed http MAC Address: 00:60:08:16:06:3C (3com) Nmap finished: 256 IP addresses (3 hosts up) scanned in 5.688 seconds _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Technique for scanning localhost on at least Windows XP machines kx (Mar 08)