TransWikia.com

How do I scan for hosts on a vpn using Zenmap on Windows?

Super User Asked on December 23, 2020

I have successfully connected to a vpn from my Windows laptop and I want to see what hosts are up in the workgroup named “Boston”. Currently the workgroup’s DNS is not configured to list most of the computer names, so I’m just trying IP addresses. When I type ipconfig I see the following (among several other interfaces):

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix  . : Boston.local
Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55
IPv4 Address. . . . . . . . . . . : 10.1.1.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

I just went out on a limb and assumed “Ethernet 2” implies interface eth2, so I tried the following in Zenmap

nmap -sn -T4 -e eth2 10.1.1.0/24

But all I get are lines like the following:

Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 15:12 Mountain Daylight Time
setup_target: failed to determine route to 10.1.1.0
setup_target: failed to determine route to 10.1.1.1
setup_target: failed to determine route to 10.1.1.2
setup_target: failed to determine route to 10.1.1.3

for all addresses, including my own. I also get the same results when I try 10.0.1.0/24 and 10.1.0.0/24 despite all three subnets being in my routes

route PRINT
===========================================================================
Interface List
 55...00 60 73 3b 9d 0b ......SonicWALL Virtual NIC
 12...28 f1 0e 09 37 a6 ......Killer e2400 Gigabit Ethernet Controller
 11...e6 b3 18 67 40 17 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  8...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 16...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 17...e4 b3 18 67 40 17 ......Intel(R) Dual Band Wireless-AC 8260
  6...e4 b3 18 67 40 1b ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.240     35
         10.0.1.0    255.255.255.0         On-link        10.1.1.132      2
         10.0.1.6  255.255.255.255         On-link        10.1.1.132      2
       10.0.1.255  255.255.255.255         On-link        10.1.1.132    257
         10.1.0.0    255.255.255.0         On-link        10.1.1.132      2
       10.1.0.255  255.255.255.255         On-link        10.1.1.132    257
         10.1.1.0    255.255.255.0         On-link        10.1.1.132    257
       10.1.1.132  255.255.255.255         On-link        10.1.1.132    257
       10.1.1.255  255.255.255.255         On-link        10.1.1.132    257
         10.5.0.0    255.255.255.0         On-link        10.1.1.132      2
       10.5.0.255  255.255.255.255         On-link        10.1.1.132    257
         10.8.0.0    255.255.255.0         On-link        10.1.1.132      2
       10.8.0.255  255.255.255.255         On-link        10.1.1.132    257
         10.8.1.0    255.255.255.0         On-link        10.1.1.132      2
       10.8.1.255  255.255.255.255         On-link        10.1.1.132    257
     70.91.168.73  255.255.255.255      192.168.1.1    192.168.1.240     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.16.0.0    255.255.255.0         On-link        10.1.1.132      2
     172.16.0.255  255.255.255.255         On-link        10.1.1.132    257
       172.16.1.0    255.255.255.0         On-link        10.1.1.132      2
     172.16.1.255  255.255.255.255         On-link        10.1.1.132    257
      172.16.31.0    255.255.255.0         On-link        10.1.1.132      2
    172.16.31.255  255.255.255.255         On-link        10.1.1.132    257
      192.168.1.0    255.255.255.0         On-link     192.168.1.240    291
    192.168.1.240  255.255.255.255         On-link     192.168.1.240    291
    192.168.1.255  255.255.255.255         On-link     192.168.1.240    291
     192.168.47.0    255.255.255.0         On-link      192.168.47.1    291
     192.168.47.1  255.255.255.255         On-link      192.168.47.1    291
   192.168.47.255  255.255.255.255         On-link      192.168.47.1    291
     192.168.80.0    255.255.255.0         On-link      192.168.80.1    291
     192.168.80.1  255.255.255.255         On-link      192.168.80.1    291
   192.168.80.255  255.255.255.255         On-link      192.168.80.1    291
    192.168.100.0    255.255.255.0         On-link        10.1.1.132      2
  192.168.100.255  255.255.255.255         On-link        10.1.1.132    257
    192.168.101.0    255.255.255.0         On-link        10.1.1.132      2
  192.168.101.255  255.255.255.255         On-link        10.1.1.132    257
    192.168.150.0    255.255.255.0         On-link        10.1.1.132      2
  192.168.150.255  255.255.255.255         On-link        10.1.1.132    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.47.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.80.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.1.240    291
        224.0.0.0        240.0.0.0         On-link        10.1.1.132    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.47.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.80.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.1.240    291
  255.255.255.255  255.255.255.255         On-link        10.1.1.132    257
===========================================================================
Persistent Routes:
  None

Using eth1 gives the same results, and using eth0 gives

Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 16:27 Mountain Daylight Time
dnet: Failed to open device eth0
QUITTING!

Update #1

I am completely mystified — I just ran nmap --iflist and I get the following output, but it still complains about eth0 (whether I specify it with -e or not)

Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-21 13:21 Mountain Daylight Time
************************INTERFACES************************
DEV  (SHORT) IP/MASK                      TYPE     UP   MTU  MAC
eth0 (eth0)  fe80::2c21:fcc4:3359:e748/64 ethernet up   1418 00:60:73:3B:9D:0B
eth0 (eth0)  10.1.1.132/24                ethernet up   1418 00:60:73:3B:9D:0B
eth1 (eth1)  fe80::91aa:d87e:1a49:4d58/64 ethernet down 1500 28:F1:0E:09:37:A6
eth1 (eth1)  169.254.77.88/4              ethernet down 1500 28:F1:0E:09:37:A6
eth2 (eth2)  fe80::956:1f96:1f35:8785/64  ethernet down 1500 E6:B3:18:67:40:17
eth2 (eth2)  169.254.135.133/4            ethernet down 1500 E6:B3:18:67:40:17
eth3 (eth3)  fe80::350a:77b7:3bc8:3e99/64 ethernet up   1500 00:50:56:C0:00:01
eth3 (eth3)  192.168.47.1/24              ethernet up   1500 00:50:56:C0:00:01
eth4 (eth4)  fe80::1c8e:b518:9d75:dc50/64 ethernet up   1500 00:50:56:C0:00:08
eth4 (eth4)  192.168.80.1/24              ethernet up   1500 00:50:56:C0:00:08
eth5 (eth5)  fe80::11db:9e0a:4913:3823/64 ethernet up   1500 E4:B3:18:67:40:17
eth5 (eth5)  192.168.1.240/24             ethernet up   1500 E4:B3:18:67:40:17
eth6 (eth6)  fe80::1560:3bf9:44e8:c2d5/64 ethernet down 1500 E4:B3:18:67:40:1B
eth6 (eth6)  169.254.194.213/4            ethernet down 1500 E4:B3:18:67:40:1B
lo0  (lo0)   ::1/128                      loopback up   -1
lo0  (lo0)   127.0.0.1/8                  loopback up   -1

DEV  WINDEVICE
eth0 <none>
eth0 <none>
eth1 DeviceNPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth1 DeviceNPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth2 DeviceNPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth2 DeviceNPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth3 DeviceNPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth3 DeviceNPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth4 DeviceNPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth4 DeviceNPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth5 DeviceNPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth5 DeviceNPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth6 DeviceNPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
eth6 DeviceNPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
lo0  <none>
lo0  <none>

**************************ROUTES**************************
DST/MASK                      DEV  METRIC GATEWAY
10.0.1.6/32                   eth0 2
70.91.168.73/32               eth5 35     192.168.1.1
192.168.150.255/32            eth0 257
255.255.255.255/32            eth0 257
10.8.0.255/32                 eth0 257
10.1.0.255/32                 eth0 257
172.16.0.255/32               eth0 257
10.1.1.132/32                 eth0 257
10.1.1.255/32                 eth0 257
192.168.101.255/32            eth0 257
10.5.0.255/32                 eth0 257
10.8.1.255/32                 eth0 257
172.16.1.255/32               eth0 257
192.168.100.255/32            eth0 257
172.16.31.255/32              eth0 257
10.0.1.255/32                 eth0 257
255.255.255.255/32            eth1 261
255.255.255.255/32            eth2 281
255.255.255.255/32            eth3 291
192.168.47.255/32             eth3 291
255.255.255.255/32            eth5 291
192.168.80.1/32               eth4 291
255.255.255.255/32            eth4 291
192.168.80.255/32             eth4 291
192.168.47.1/32               eth3 291
192.168.1.255/32              eth5 291
192.168.1.240/32              eth5 291
255.255.255.255/32            eth6 321
255.255.255.255/32            lo0  331
127.255.255.255/32            lo0  331
127.0.0.1/32                  lo0  331
10.1.0.0/24                   eth0 2
10.0.1.0/24                   eth0 2
172.16.31.0/24                eth0 2
172.16.0.0/24                 eth0 2
10.8.1.0/24                   eth0 2
10.8.0.0/24                   eth0 2
10.5.0.0/24                   eth0 2
172.16.1.0/24                 eth0 2
192.168.101.0/24              eth0 2
192.168.100.0/24              eth0 2
192.168.150.0/24              eth0 2
10.1.1.0/24                   eth0 257
192.168.47.0/24               eth3 291
192.168.1.0/24                eth5 291
192.168.80.0/24               eth4 291
127.0.0.0/8                   lo0  331
224.0.0.0/4                   eth0 257
224.0.0.0/4                   eth1 261
224.0.0.0/4                   eth2 281
224.0.0.0/4                   eth5 291
224.0.0.0/4                   eth3 291
224.0.0.0/4                   eth4 291
224.0.0.0/4                   eth6 321
224.0.0.0/4                   lo0  331
0.0.0.0/0                     eth5 35     192.168.1.1
fe80::91aa:d87e:1a49:4d58/128 eth1 261
fe80::956:1f96:1f35:8785/128  eth2 281
fe80::1c8e:b518:9d75:dc50/128 eth4 291
fe80::350a:77b7:3bc8:3e99/128 eth3 291
fe80::2c21:fcc4:3359:e748/128 eth0 291
fe80::11db:9e0a:4913:3823/128 eth5 291
fe80::1560:3bf9:44e8:c2d5/128 eth6 321
::1/128                       lo0  331
fe80::/64                     eth1 261
fe80::/64                     eth2 281
fe80::/64                     eth0 291
fe80::/64                     eth5 291
fe80::/64                     eth4 291
fe80::/64                     eth3 291
fe80::/64                     eth6 321
ff00::/8                      eth1 261
ff00::/8                      eth2 281
ff00::/8                      eth0 291
ff00::/8                      eth5 291
ff00::/8                      eth4 291
ff00::/8                      eth3 291
ff00::/8                      eth6 321
ff00::/8                      lo0  331

Update #2

After perusing this discussion concerning interface naming confusion, I have downloaded and run the latest zenmap installer for version 7.70. Now the output of nmap -sn -T4 10.0.1.0/24 produces the following

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-21 14:44 Mountain Daylight Time
Nmap scan report for 10.0.1.0
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.1
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.2
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
...[snip]...
Nmap scan report for 10.0.1.254
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.255
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap done: 256 IP addresses (256 hosts up) scanned in 17.56 seconds

So I’m another step closer, but I know for a fact that there aren’t 256 hosts in the subnet, and notice the MAC address is always the same (and it happens to be the one listed in the output of ipconfig /all

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : Boston.local
   Description . . . . . . . . . . . : SonicWALL Virtual NIC
   Physical Address. . . . . . . . . : 00-60-73-3B-9D-0B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.132(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, September 20, 2018 2:17:55 PM
   Lease Expires . . . . . . . . . . : Saturday, September 22, 2018 12:48:30 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 922771571
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-EE-C8-89-28-F1-0E-09-37-A6
   DNS Servers . . . . . . . . . . . : 10.0.1.6
                                       204.130.255.3
                                       75.75.75.75
   NetBIOS over Tcpip. . . . . . . . : Enabled

One Answer

On Windows, Nmap must send raw Ethernet frames in order to do its specialized functions like "Stealth" SYN scan, OS fingerprinting, and traceroute. This means that it can only use network adapters that can handle raw Ethernet frames. If your VPN uses something else, Nmap won't be able to use these methods. PPTP tunnels are one known-bad example.

That doesn't mean you can't use Nmap, though! Nmap also has many features that do not use raw Ethernet frames, but instead use native socket operations that work with pretty much every network type out there. Port scan, reverse-DNS, service version detection, and NSE scripts can all work this way. An easy way to use these is to add the --unprivileged option, since that tells Nmap to use basic function calls for anything it can. This usually ends up being the same as using -PS80,443 for host discovery and -sT (TCP Connect) for port scan technique. And it will produce an error if you try anything like -O or --traceroute that it can't support.

But before you limit yourself to those features, do make sure you have the latest version of Npcap (0.99-r7 at the time of this answer) and have restarted the npcap service after starting your VPN so that it can observe and attach to the VPN network adapter (in an Administrator command prompt, run: net stop npcap then net start npcap). This just might make everything work great.

Answered by bonsaiviking on December 23, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP