naabu icon indicating copy to clipboard operation
naabu copied to clipboard
verified publisher icon projectdiscovery

-source-ip is ignored

Open amarao opened this issue 2 years ago • 2 comments

Naabu version:

2.2.1

Current Behavior:

naabu is using primary Ipv4 address even if the secondary ip is specified as -source-ip {secondary_ip}.

Expected Behavior:

  • source ip for packets using specified source IP.

Steps To Reproduce:

Configure secondary IP (example for eth0 interface):

  1. ip address add 30.0.0.1/32 dev eth0
  2. Run ./naabu -host 188.42.216.83 -source-ip 30.0.0.1
  3. Run tcpdump in other tab

Example of capture for the command from above:

18:08:34.192803 IP 23.109.117.124.45775 > 188.42.216.83.80: Flags [S], seq 0, win 1024, options [mss 1460], length 0
18:08:34.192848 IP 23.109.117.124.45775 > 188.42.216.83.443: Flags [S], seq 1, win 1024, options [mss 1460], length 0
18:08:34.192867 IP 23.109.117.124.45775 > 188.42.216.83.80: Flags [.], ack 0, win 1024, options [mss 1460], length 0
18:08:34.192881 IP 23.109.117.124.45775 > 188.42.216.83.443: Flags [.], ack 0, win 1024, options [mss 1460], length 0
18:08:34.192929 IP 23.109.117.124 > 188.42.216.83: ICMP echo request, id 18964, seq 1, length 8
18:08:34.192946 IP 23.109.117.124 > 188.42.216.83: ICMP time stamp query id 18964 seq 0, length 20

(23.109.117.124 is primary ip on the server),

amarao avatar Mar 11 '24 18:03 amarao

naabu verifies if there is a route to the destination from the source-ip, otherwise it fallback to system routes, otherwise it would be impossible to receive the packets from the target. This behavior was opted to make it easier to handle mixed cases where nmap would just error out:

# nmap -S 30.0.0.1 188.42.216.83 -e eth0
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn .  If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 09:12 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds

Mzack9999 avatar Mar 15 '24 09:03 Mzack9999

I hit this bug in a production configuration with real (working IPs).

  • one network card with local IP (10.x.x.x) with route to 10.0.0.0/8
  • second network card with internet IP and default route
  • There is an alias (second internet) IP on the second network card, and it's functional (e.g. I can ping with this IP as a source and I get reply).

amarao avatar Mar 15 '24 13:03 amarao