dmiller-nmap
commented
4 years ago This is an interesting idea, though we would want a solution that scales to multiple targets. As an example of another address mapping that allows local override, DNS names can be mapped to IP addresses in the hosts file, which Nmap consults prior to attempting reverse-DNS lookup. Forward lookups use the OS-specific mechanisms via getaddrinfo(), which usually similarly prefer /etc/hosts or equivalent.
Similarly, /etc/services maps service names to port numbers, but Nmap ships and uses its own nmap-services file to override the system-provided one. We don't currently do the same for MAC-to-IP mapping, but that could possibly be done.
The preferred solution at the moment is to manipulate the OS's ARP tables using tools like route or arp. Nmap can then use standard API calls to retrieve the addresses from these sources.
Good afternoon,
while Nmap already allows to set a custom source MAC address via --spoof-mac, there is no command line switch available to set the destination MAC address.
This option might be useful when scanning multihomed devices, on which the target MAC address might not be the one which was derived by earlier ARP responses (or in cases there is no entry in the routing table pointing to the target network).
Since Nmap relies on the routing table of the operating system, the only way to perform such a scan is to manually set a route to the hidden network with the target MAC address as the gateway.
A separate command line switch like "--dst-mac <mac" or similar could help to speed this up. What are your thoughts?
References:
[1] https://tools.ietf.org/html/rfc6419 [2] https://en.wikipedia.org/wiki/Host_model