Super User Asked on December 23, 2020
I have successfully connected to a vpn from my Windows laptop and I want to see what hosts are up in the workgroup named “Boston”. Currently the workgroup’s DNS is not configured to list most of the computer names, so I’m just trying IP addresses. When I type ipconfig
I see the following (among several other interfaces):
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : Boston.local
Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55
IPv4 Address. . . . . . . . . . . : 10.1.1.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
I just went out on a limb and assumed “Ethernet 2” implies interface eth2, so I tried the following in Zenmap
nmap -sn -T4 -e eth2 10.1.1.0/24
But all I get are lines like the following:
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 15:12 Mountain Daylight Time
setup_target: failed to determine route to 10.1.1.0
setup_target: failed to determine route to 10.1.1.1
setup_target: failed to determine route to 10.1.1.2
setup_target: failed to determine route to 10.1.1.3
for all addresses, including my own. I also get the same results when I try 10.0.1.0/24 and 10.1.0.0/24 despite all three subnets being in my routes
route PRINT
===========================================================================
Interface List
55...00 60 73 3b 9d 0b ......SonicWALL Virtual NIC
12...28 f1 0e 09 37 a6 ......Killer e2400 Gigabit Ethernet Controller
11...e6 b3 18 67 40 17 ......Microsoft Wi-Fi Direct Virtual Adapter #2
8...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
16...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
17...e4 b3 18 67 40 17 ......Intel(R) Dual Band Wireless-AC 8260
6...e4 b3 18 67 40 1b ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.240 35
10.0.1.0 255.255.255.0 On-link 10.1.1.132 2
10.0.1.6 255.255.255.255 On-link 10.1.1.132 2
10.0.1.255 255.255.255.255 On-link 10.1.1.132 257
10.1.0.0 255.255.255.0 On-link 10.1.1.132 2
10.1.0.255 255.255.255.255 On-link 10.1.1.132 257
10.1.1.0 255.255.255.0 On-link 10.1.1.132 257
10.1.1.132 255.255.255.255 On-link 10.1.1.132 257
10.1.1.255 255.255.255.255 On-link 10.1.1.132 257
10.5.0.0 255.255.255.0 On-link 10.1.1.132 2
10.5.0.255 255.255.255.255 On-link 10.1.1.132 257
10.8.0.0 255.255.255.0 On-link 10.1.1.132 2
10.8.0.255 255.255.255.255 On-link 10.1.1.132 257
10.8.1.0 255.255.255.0 On-link 10.1.1.132 2
10.8.1.255 255.255.255.255 On-link 10.1.1.132 257
70.91.168.73 255.255.255.255 192.168.1.1 192.168.1.240 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.16.0.0 255.255.255.0 On-link 10.1.1.132 2
172.16.0.255 255.255.255.255 On-link 10.1.1.132 257
172.16.1.0 255.255.255.0 On-link 10.1.1.132 2
172.16.1.255 255.255.255.255 On-link 10.1.1.132 257
172.16.31.0 255.255.255.0 On-link 10.1.1.132 2
172.16.31.255 255.255.255.255 On-link 10.1.1.132 257
192.168.1.0 255.255.255.0 On-link 192.168.1.240 291
192.168.1.240 255.255.255.255 On-link 192.168.1.240 291
192.168.1.255 255.255.255.255 On-link 192.168.1.240 291
192.168.47.0 255.255.255.0 On-link 192.168.47.1 291
192.168.47.1 255.255.255.255 On-link 192.168.47.1 291
192.168.47.255 255.255.255.255 On-link 192.168.47.1 291
192.168.80.0 255.255.255.0 On-link 192.168.80.1 291
192.168.80.1 255.255.255.255 On-link 192.168.80.1 291
192.168.80.255 255.255.255.255 On-link 192.168.80.1 291
192.168.100.0 255.255.255.0 On-link 10.1.1.132 2
192.168.100.255 255.255.255.255 On-link 10.1.1.132 257
192.168.101.0 255.255.255.0 On-link 10.1.1.132 2
192.168.101.255 255.255.255.255 On-link 10.1.1.132 257
192.168.150.0 255.255.255.0 On-link 10.1.1.132 2
192.168.150.255 255.255.255.255 On-link 10.1.1.132 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.47.1 291
224.0.0.0 240.0.0.0 On-link 192.168.80.1 291
224.0.0.0 240.0.0.0 On-link 192.168.1.240 291
224.0.0.0 240.0.0.0 On-link 10.1.1.132 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.47.1 291
255.255.255.255 255.255.255.255 On-link 192.168.80.1 291
255.255.255.255 255.255.255.255 On-link 192.168.1.240 291
255.255.255.255 255.255.255.255 On-link 10.1.1.132 257
===========================================================================
Persistent Routes:
None
Using eth1 gives the same results, and using eth0 gives
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 16:27 Mountain Daylight Time
dnet: Failed to open device eth0
QUITTING!
I am completely mystified — I just ran nmap --iflist
and I get the following output, but it still complains about eth0 (whether I specify it with -e or not)
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-21 13:21 Mountain Daylight Time
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
eth0 (eth0) fe80::2c21:fcc4:3359:e748/64 ethernet up 1418 00:60:73:3B:9D:0B
eth0 (eth0) 10.1.1.132/24 ethernet up 1418 00:60:73:3B:9D:0B
eth1 (eth1) fe80::91aa:d87e:1a49:4d58/64 ethernet down 1500 28:F1:0E:09:37:A6
eth1 (eth1) 169.254.77.88/4 ethernet down 1500 28:F1:0E:09:37:A6
eth2 (eth2) fe80::956:1f96:1f35:8785/64 ethernet down 1500 E6:B3:18:67:40:17
eth2 (eth2) 169.254.135.133/4 ethernet down 1500 E6:B3:18:67:40:17
eth3 (eth3) fe80::350a:77b7:3bc8:3e99/64 ethernet up 1500 00:50:56:C0:00:01
eth3 (eth3) 192.168.47.1/24 ethernet up 1500 00:50:56:C0:00:01
eth4 (eth4) fe80::1c8e:b518:9d75:dc50/64 ethernet up 1500 00:50:56:C0:00:08
eth4 (eth4) 192.168.80.1/24 ethernet up 1500 00:50:56:C0:00:08
eth5 (eth5) fe80::11db:9e0a:4913:3823/64 ethernet up 1500 E4:B3:18:67:40:17
eth5 (eth5) 192.168.1.240/24 ethernet up 1500 E4:B3:18:67:40:17
eth6 (eth6) fe80::1560:3bf9:44e8:c2d5/64 ethernet down 1500 E4:B3:18:67:40:1B
eth6 (eth6) 169.254.194.213/4 ethernet down 1500 E4:B3:18:67:40:1B
lo0 (lo0) ::1/128 loopback up -1
lo0 (lo0) 127.0.0.1/8 loopback up -1
DEV WINDEVICE
eth0 <none>
eth0 <none>
eth1 DeviceNPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth1 DeviceNPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth2 DeviceNPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth2 DeviceNPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth3 DeviceNPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth3 DeviceNPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth4 DeviceNPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth4 DeviceNPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth5 DeviceNPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth5 DeviceNPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth6 DeviceNPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
eth6 DeviceNPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
lo0 <none>
lo0 <none>
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
10.0.1.6/32 eth0 2
70.91.168.73/32 eth5 35 192.168.1.1
192.168.150.255/32 eth0 257
255.255.255.255/32 eth0 257
10.8.0.255/32 eth0 257
10.1.0.255/32 eth0 257
172.16.0.255/32 eth0 257
10.1.1.132/32 eth0 257
10.1.1.255/32 eth0 257
192.168.101.255/32 eth0 257
10.5.0.255/32 eth0 257
10.8.1.255/32 eth0 257
172.16.1.255/32 eth0 257
192.168.100.255/32 eth0 257
172.16.31.255/32 eth0 257
10.0.1.255/32 eth0 257
255.255.255.255/32 eth1 261
255.255.255.255/32 eth2 281
255.255.255.255/32 eth3 291
192.168.47.255/32 eth3 291
255.255.255.255/32 eth5 291
192.168.80.1/32 eth4 291
255.255.255.255/32 eth4 291
192.168.80.255/32 eth4 291
192.168.47.1/32 eth3 291
192.168.1.255/32 eth5 291
192.168.1.240/32 eth5 291
255.255.255.255/32 eth6 321
255.255.255.255/32 lo0 331
127.255.255.255/32 lo0 331
127.0.0.1/32 lo0 331
10.1.0.0/24 eth0 2
10.0.1.0/24 eth0 2
172.16.31.0/24 eth0 2
172.16.0.0/24 eth0 2
10.8.1.0/24 eth0 2
10.8.0.0/24 eth0 2
10.5.0.0/24 eth0 2
172.16.1.0/24 eth0 2
192.168.101.0/24 eth0 2
192.168.100.0/24 eth0 2
192.168.150.0/24 eth0 2
10.1.1.0/24 eth0 257
192.168.47.0/24 eth3 291
192.168.1.0/24 eth5 291
192.168.80.0/24 eth4 291
127.0.0.0/8 lo0 331
224.0.0.0/4 eth0 257
224.0.0.0/4 eth1 261
224.0.0.0/4 eth2 281
224.0.0.0/4 eth5 291
224.0.0.0/4 eth3 291
224.0.0.0/4 eth4 291
224.0.0.0/4 eth6 321
224.0.0.0/4 lo0 331
0.0.0.0/0 eth5 35 192.168.1.1
fe80::91aa:d87e:1a49:4d58/128 eth1 261
fe80::956:1f96:1f35:8785/128 eth2 281
fe80::1c8e:b518:9d75:dc50/128 eth4 291
fe80::350a:77b7:3bc8:3e99/128 eth3 291
fe80::2c21:fcc4:3359:e748/128 eth0 291
fe80::11db:9e0a:4913:3823/128 eth5 291
fe80::1560:3bf9:44e8:c2d5/128 eth6 321
::1/128 lo0 331
fe80::/64 eth1 261
fe80::/64 eth2 281
fe80::/64 eth0 291
fe80::/64 eth5 291
fe80::/64 eth4 291
fe80::/64 eth3 291
fe80::/64 eth6 321
ff00::/8 eth1 261
ff00::/8 eth2 281
ff00::/8 eth0 291
ff00::/8 eth5 291
ff00::/8 eth4 291
ff00::/8 eth3 291
ff00::/8 eth6 321
ff00::/8 lo0 331
After perusing this discussion concerning interface naming confusion, I have downloaded and run the latest zenmap installer for version 7.70. Now the output of nmap -sn -T4 10.0.1.0/24
produces the following
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-21 14:44 Mountain Daylight Time
Nmap scan report for 10.0.1.0
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.1
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.2
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
...[snip]...
Nmap scan report for 10.0.1.254
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.255
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap done: 256 IP addresses (256 hosts up) scanned in 17.56 seconds
So I’m another step closer, but I know for a fact that there aren’t 256 hosts in the subnet, and notice the MAC address is always the same (and it happens to be the one listed in the output of ipconfig /all
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : Boston.local
Description . . . . . . . . . . . : SonicWALL Virtual NIC
Physical Address. . . . . . . . . : 00-60-73-3B-9D-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.132(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, September 20, 2018 2:17:55 PM
Lease Expires . . . . . . . . . . : Saturday, September 22, 2018 12:48:30 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 922771571
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-EE-C8-89-28-F1-0E-09-37-A6
DNS Servers . . . . . . . . . . . : 10.0.1.6
204.130.255.3
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Enabled
On Windows, Nmap must send raw Ethernet frames in order to do its specialized functions like "Stealth" SYN scan, OS fingerprinting, and traceroute. This means that it can only use network adapters that can handle raw Ethernet frames. If your VPN uses something else, Nmap won't be able to use these methods. PPTP tunnels are one known-bad example.
That doesn't mean you can't use Nmap, though! Nmap also has many features that do not use raw Ethernet frames, but instead use native socket operations that work with pretty much every network type out there. Port scan, reverse-DNS, service version detection, and NSE scripts can all work this way. An easy way to use these is to add the --unprivileged
option, since that tells Nmap to use basic function calls for anything it can. This usually ends up being the same as using -PS80,443
for host discovery and -sT
(TCP Connect) for port scan technique. And it will produce an error if you try anything like -O
or --traceroute
that it can't support.
But before you limit yourself to those features, do make sure you have the latest version of Npcap (0.99-r7 at the time of this answer) and have restarted the npcap
service after starting your VPN so that it can observe and attach to the VPN network adapter (in an Administrator command prompt, run: net stop npcap
then net start npcap
). This just might make everything work great.
Answered by bonsaiviking on December 23, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP