Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Technique for scanning localhost on at least Windows XP machines

From: kx <kxmail () gmail com>
Date: Wed, 8 Mar 2006 18:12:26 -0500
Thought some people might like this, sorry if this is old news.
However, the -S option has only been working on Windows in recent nmap
versions since November 05, so this might be new to some. This was
done using nmap 4.01 and a fully patch Windows XP box.

Basically, thanks to nmap's send-eth and ARP stack, we can use a
packet purgatory like technique.
http://www.synacklabs.net/projects/packetp/

We spoof as an unused IP address on our target's subnet, and nmap will
determine that since our target is directly connected, there is no
need to route. We must specify localhost as a real IP (like
192.168.1.100), not 127.*.*.*.  Nmap will actually route this (it went
to my default gateway), but no one will answer.

Because the Windows stack is not involved in the TCP/IP and ARP
handling, everything just works, and the packets travel freely over
our subnet.

Below are a few example scans. The port 80 and 443 that were open was
Skype on my localhost.

This also works when scanning your whole subnet, example below.

Hope people have fun with this.

Cheers,
  kx


nmap -sS -p80 -P0 192.168.1.100 -packet_trace -n -S 192.168.1.108 -e eth0


Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-03-08 17:21 Eastern
Standard Time
SENT (0.3910s) ARP who-has 192.168.1.100 tell 192.168.1.108
RCVD (0.3910s) ARP reply 192.168.1.100 is-at 00:4F:4E:14:21:5C
SENT (0.5000s) TCP 192.168.1.108:33685 > 192.168.1.100:80 S ttl=59
id=31303 iplen=44 seq=1831741960 win=4096
RCVD (0.5000s) TCP 192.168.1.100:80 > 192.168.1.108:33685 SA ttl=128
id=64462 iplen=44 seq=1309544532 win=-1 ack=1831741961
Interesting ports on 192.168.1.100:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:4F:4E:14:21:5C (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds

And another:


nmap -sS -P0 192.168.1.100 -packet_trace -n -S 192.168.1.108 -e eth0

<snip>
Interesting ports on 192.168.1.100:
(The 1670 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
MAC Address: 00:4F:4E:14:21:5C (Unknown)
Final times for host: srtt: 30714 rttvar: 36148  to: 175306

Nmap finished: 1 IP address (1 host up) scanned in 30.078 seconds


nmap -sS -p80 -P0 192.168.1.1/24 -packet_trace -n -S 192.168.1.108 -e eth0

<snip>
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group)

Interesting ports on 192.168.1.100:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:4F:4E:14:21:5C (Unknown)

Interesting ports on 192.168.1.102:
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:60:08:16:06:3C (3com)

Nmap finished: 256 IP addresses (3 hosts up) scanned in 5.688 seconds


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: