Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新

Scanning using a specified network interface

Nmap is known for its flexibility, and allows users to specify the network interface used when scanning. This is very handy when running some of the sniffer NSE scripts, discovering whether your interface supports the promiscuous mode, or when testing a network connection with routing problems.

The following recipe describes how to force Nmap to scan using a specified network interface.

How to do it...

Open your terminal and enter the following command:

$ nmap -e <INTERFACE> scanme.nmap.org

This will force Nmap to perform a TCP scan of scanme.nmap.org using the interface <INTERFACE>.

How to do it...

How it works...

The flag -e is used to set a specific network interface when Nmap is unable to select one automatically. The existence of this flag allows Nmap to send and receive packets through an alternate interface.

There's more...

If you need to select your interface manually, you will see the following message:

WARNING: Unable to find appropriate interface for system route to ...

Checking a TCP connection

To check if a network interface can communicate with your network, you could try a ping scan that forces Nmap to use a specified interface:

$ nmap -sP -e INTERFACE 192.168.1.254 
--------------- Timing report --------------- 
 hostgroups: min 1, max 100000 
 rtt-timeouts: init 1000, min 100, max 10000 
 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 
 parallelism: min 0, max 0 
 max-retries: 10, host-timeout: 0 
 min-rate: 0, max-rate: 0 
--------------------------------------------- 
Initiating ARP Ping Scan at 02:46 
Scanning 192.168.1.254 [1 port] 
Packet capture filter (device wlan2): arp and arp[18:4] = 0x00C0CA50 and arp[22:2] = 0xE567 
Completed ARP Ping Scan at 02:46, 0.06s elapsed (1 total hosts) 
Overall sending rates: 16.76 packets / s, 704.05 bytes / s. 
mass_rdns: Using DNS server 192.168.1.254 
Initiating Parallel DNS resolution of 1 host. at 02:46 
mass_rdns: 0.03s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] 
Completed Parallel DNS resolution of 1 host. at 02:46, 0.03s elapsed 
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] 
Nmap scan report for 192.168.1.254 
Host is up, received arp-response (0.0017s latency). 
MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) 
Final times for host: srtt: 1731 rttvar: 5000 to: 100000 
Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads. 
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds 
 Raw packets sent: 1 (28B) | Rcvd: 1 (28B) 

See also

  • The Running NSE scripts recipe
  • The Scanning using specific port ranges recipe
  • The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration
  • The Forcing DNS resolution recipe in Chapter 2, Network Exploration
  • The Excluding hosts from your scans recipe in Chapter 2, Network Exploration
  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information
  • The Fingerprinting the operative system of a host recipe in Chapter 3, Gathering Additional Host Information
  • The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information
  • The Listing the protocols supported by a remote host recipe in Chapter 3, Gathering Additional Host Information