search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.26k stars 3.04k forks source link

masscan doesn"'t work in my LAN #378

Open secusoc opened 5 years ago

secusoc commented 5 years ago

Hi all, I have strange things with masscan, works for other LAN/VLAN but not for mine

My conf

OS:     RHEL 7.5
Masscan version 1.0.3 ( https://github.com/robertdavidgraham/masscan )
        Compiled on: Jan 21 2017 12:09:31
        Compiler: gcc 4.8.5 20150623 (Red Hat 4.8.5-11)
        OS: Linux
        CPU: unknown (64 bits)
        GIT version: unknown
IP:     10.228.253.101  
route:  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
        0.0.0.0         10.228.255.254  0.0.0.0         UG    0      0        0 eth0
        10.228.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
        10.229.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
        10.230.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth2

I) Test server on my LAN 10.228.253.100

a) Ping server via "PING" => OK

$ ping 10.228.253.100
    64 bytes from 10.228.253.100: icmp_seq=1 ttl=64 time=1.02 ms
    64 bytes from 10.228.253.100: icmp_seq=2 ttl=64 time=0.514 ms

$ sudo tcpdump -n -i any host 10.228.253.100 and 10.228.253.101
    08:26:56.386772 IP 10.228.253.101 > 10.228.253.100: ICMP echo request, id 20256, seq 2, length 64
    08:26:56.387247 IP 10.228.253.100 > 10.228.253.101: ICMP echo reply, id 20256, seq 2, length 64

b) Ping server via "MASSCAN" => KO

$ sudo masscan --ping 10.228.253.100 --max-rate 100
    Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-10-17 06:31:33 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [1 port/host]

$ sudo tcpdump -n -i any host 10.228.253.100 and 10.228.253.101
    (nothing)

c) Syn ssh via "NMAP" => OK

$ sudo nmap -P0 -p22 10.228.253.100
    Host is up (0.00052s latency).
    PORT   STATE SERVICE
    22/tcp open  ssh
    Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

$ sudo tcpdump -n -i any host 10.228.253.100 and 10.228.253.101
    08:37:48.537231 IP 10.228.253.101.56689 > 10.228.253.100.ssh: Flags [S], seq 646278291, win 1024, options [mss 1460], length 0
    08:37:48.537692 IP 10.228.253.100.ssh > 10.228.253.101.56689: Flags [S.], seq 564100738, ack 646278292, win 29200, options [mss 1460], length 0
    08:37:48.537708 IP 10.228.253.101.56689 > 10.228.253.100.ssh: Flags [R], seq 646278292, win 0, length 0

d) Syn ssh via "MASSCAN" => KO

$ sudo masscan -p22 10.228.253.100 --max-rate 100
    Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-10-17 06:39:47 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [1 port/host]

$ sudo tcpdump -n -i any host 10.228.253.100 and 10.228.253.101
    (nothing)

II) Ping et Syn ssh via "MASSCAN" on other LAN 

$ sudo masscan --ping 10.225.253.50 --max-rate 100
    Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-10-17 07:42:04 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [1 port/host]
    Discovered open port 0/icmp on 10.225.253.50

$ sudo tcpdump -n -i any host 10.225.253.50
    09:42:04.400725 IP 10.225.253.50 > 10.228.253.101: ICMP echo reply, id 56505, seq 65149, length 56

$ sudo masscan -p22 10.225.253.50 --max-rate 100
    Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-10-17 07:44:07 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [1 port/host]
    Discovered open port 22/tcp on 10.225.253.50

$ sudo tcpdump -n -i any host 10.225.253.50
    09:44:07.537033 IP 10.225.253.50.ssh > 10.228.253.101.42247: Flags [S.], seq 2037267691, ack 2272701532, win 29200, options [mss 1460], length 0
    09:44:07.537073 IP 10.228.253.101.42247 > 10.225.253.50.ssh: Flags [R], seq 2272701532, win 0, length 0

Then: On my lan => no packets, on other LAN masscan do the job ? No security stuff between, no iptables for the test...

Thanks for your help Regards

BlancLoup commented 5 years ago

Same issue. Reason described at the option --router-mac. If you run Wireshark you'll see that masscan sends all LAN packets to gateway MAC in Ethernet frame.