search

v-byte-cpu / sx

:vulcan_salute: Fast, modern, easy-to-use network scanner
MIT License
1.46k stars 108 forks source link

ICMP Scan: sending ICMP for IPs not listed in the ARP cache #101

Closed ronaldoafonso closed 3 years ago

ronaldoafonso commented 3 years ago

Hi, I'm experimenting with "sx" and found an interesting issue.

Well, I was trying to ICMP scan a local WiFi network. First of all, I generated the ARP cache file. After that I run the ICMP Scan. Everything seems to work, but the interesting thing that I'm talking about is: I generated a PCAP file while I was scanning the network and noted that even though I had just provided an ARP cache of 3 entries, sx had sent ICMP packets for all the subnet I provided in the command line.

I was expecting ICMP packets only for the 3 IP addresses/MACs listed in the ARP cache file. This is the ARP cache I used:

{"ip":"192.168.15.1","mac":"d8:c6:78:1f:bc:90","vendor":"MitraStar Technology Corp."} {"ip":"192.168.15.250","mac":"c8:5d:38:29:6b:08","vendor":"HUMAX Co., Ltd."} {"ip":"192.168.15.238","mac":"c8:5d:38:29:77:2f","vendor":"HUMAX Co., Ltd."}

Another thing that I noticed was that for each ICMP packet sent and which the MAC was not listed in the ARP cache, "sx" included the MAC address of the first entry in the ARP cache as the Ethernet frame destination address.

For example, for the IPs:

Is it how it's supposed to work?

p.s) I'm using a development version. sx version dev

Thanks for any feedback.

v-byte-cpu commented 3 years ago

Hi @ronaldoafonso !

sx had sent ICMP packets for all the subnet I provided in the command line.

yes, sx tries to scan all ip addresses provided in the command line, arp cache file just provides initial information (starting context) that is necessary to perform the scan.

Another thing that I noticed was that for each ICMP packet sent and which the MAC was not listed in the ARP cache, "sx" included the MAC address of the first entry in the ARP cache as the Ethernet frame destination address.

I can guess that 192.168.15.1 address is the default gateway for your network, sx tries to find mac address for a scanned ip address in ARP cache and if it is not present in the cache then sx fallbacks to the mac address of the default gateway. This is why d8:c6:78:1f:bc:90 address is used for packets for all addresses that were not explicitly specified in the arp cache file.

Would like to note that If you want to exclude IPs from the scan you can use --exclude option. Also you can override default gateway MAC address (that is usually detected automatically) using --gwmac option.

P.S. In your case I would just use -f option with arp cache file (if you want to scan only IPs in arp cache file).

ronaldoafonso commented 3 years ago

Ok @v-byte-cpu , I got it.

Thanks very much for your answer.

I'm just experimenting "sx" and I'd say that I'm liking it. It seems a very nice tool. :)

v-byte-cpu commented 3 years ago

Thank you for the kind words :)