7

I figured this would be the most relevant place to ask this question. I'm using a Kali VM to run some network scans. The results are different depending on whether my network interface is bridged or NATed.

Running this scan nmap -sn 192.168.1.0/24 in NAT reports all 256 IPs as online hosts. The same scan in bridged reports the correct number of 5 online hosts. Note that this is from a freshly downloaded VM with no changes done on it.

Why the difference? I'm guessing there must be some issue with ICMPs or ARPs coming through? Could this be a config issue on my host (fresh LTS Ubuntu 14.04)?

I would be interested in understanding the reason and also any fixes. I'd like to have accurate host discovery without having to bridge every time.

EDIT: I am using VirtualBox 4.3.36.

Juicy
  • 1,407
  • 4
  • 16
  • 31
  • 1
    Please mention what hypervisor you are using (VirtualBox, VMware Player, QEMU, etc.). Most likely this is how NAT on your hypervisor is designed. I always have problems with virtual NAT and Nmap. – bonsaiviking Mar 07 '16 at 14:11
  • @bonsaiviking Editing my question. I'm glad to know I'm not the only one, although I don't remember having this problem in the past, likely with a different version of VirtualBox. – Juicy Mar 07 '16 at 14:33
  • 2
    When seeking to scan beyond the VM environment, I'd prefer to run the scanner in Bridged mode regardless. Always put as little infrastructure (virtual or otherwise) between the scanner and its targets as possible for the thorough and accurate results. As for troubleshooting your problem, a little more information might still be useful: (1) What are the IP ranges of your networks, (VirtualBox internal network and target network) and how are they connected? (2) Have you tried monitoring the scan with Wireshark or the `--packet-trace` option? (3) Have you tried different ping techniques? – Iszi Aug 15 '16 at 20:47
  • In NAT mode, nmap can't do ARP scanning, as they are separate networks at Ethernet level. If target host is fully firewalled, ARP scan is only way to detect. – paj28 Aug 14 '19 at 19:56

2 Answers2

1

VirtualBox sets the NAT up with its own IP address range and set of rules like the NAT in your router. So to get to the internet you are actually going through two NAT interfaces.

VirtualBox's NAT network treats all 256 IP addresses as online hosts because of the internal VirtualBox NAT configuration. Bridged mode bridges you directly with your NIC using your host's configuration which is why those results are more accurate.

schroeder
  • 123,438
  • 55
  • 284
  • 319
x0r0n1n
  • 11
  • 1
0

I had the same problem and I could understood it with Wireshark. If you analize your network trafic with Wireshark when you are doing Nmap scans, you can see that when you are doing the scan with NAT the TTL value is 128, if you host machine is Windows, or 64, on Linux (depending the version).

This is because when vmWare receive the packet, recreate it and TTL value is reinitilized and this generate confusion on Nmap scan.

Iratzar Carrasson Bores
  • 196
  • 1
  • 13