# nmap can't detect the appropriate interface for the default route



## kantor (Nov 24, 2008)

I have FreeBSD 6.3 installed, a PPPoE connection and the latest nmap from the ports tree. If I run nmap as normal user all is fine, even if I run nmap as the root user but with connect scan (full TCP scan). But if I use nmap as the root user and want to make a SYN scan for instance (to send raw packets), I'm getting the following error:


# nmap -PN -vv -T4 http://www.freebsd.org

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-24 21:52 EET
WARNING: Unable to find appropriate interface for system route to 10.0.0.1
nexthost: failed to determine route to 69.147.83.33
QUITTING!

This occurs only if I'm trying to send raw packets. 
I made some research and I found similar problems on other forums, mailing lists, here are some of them:

http://www.daemonnews.org/mailinglists/FreeBSD/freebsd-stable/msg37054.html
http://lists.freebsd.org/pipermail/freebsd-questions/2006-September/131768.html
http://blogs.securiteam.com/index.php/archives/264  (here read the user comment at the bottom of the page)

I really don't know how to fix this issue (though I searched a lot for a solution, but nothing found yet). If somebody else experienced the same problem, and maybe has a good hint or workaround, then please let me know


----------



## kantor (Nov 24, 2008)

by the way here is my ifconfig and netstat -rn output

ifconfig:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.32.46 netmask 0xffffffe0 broadcast 192.168.32.63
        ether 00:0f:ea:b2:87:2a
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet 79.114.86.77 --> 10.0.0.1 netmask 0xffffffff 
        Opened by PID 339


netstat -rn:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.0.1           UGS         0    32225   tun0
10.0.0.1           79.114.86.77       UH          1        1   tun0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.32.32/27   link#1             UC          0        0    vr0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#2                        UHL         lo0
ff01:2::/32                       fe80::1%lo0                   UC          lo0
ff01:3::/32                       link#3                        UC         tun0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
ff02::%tun0/32                    link#3                        UC         tun0


----------



## anomie (Nov 24, 2008)

Hi there, 

So vr0 is on the 192.168.32/26 subnet. And you have a tun0 device (which honestly I am not familiar with - I just read through its manpage now). Default gateway is 10.0.0.1. 

My guess is this (unusual?) configuration is confusing nmap. Can you explain a little more about your setup? Maybe your description will lend itself better to a fix.


----------



## SirDice (Nov 25, 2008)

I've had that same problem after I build nmap in a jail. It's probably due to not having access to the bpf devices during the build. 
Make sure you have bpf in your kernel config and rebuild libdnet.


----------



## kantor (Nov 25, 2008)

SirDice said:
			
		

> I've had that same problem after I build nmap in a jail. It's probably due to not having access to the bpf devices during the build.
> Make sure you have bpf in your kernel config and rebuild libdnet.



Thanks for the advice, but it is not working. I checked and the bpf device is loaded (I have a /dev/bpf0). I uninstalled and reinstalled libdnet and after that nmap from the ports tree but the problem is the same


----------



## kantor (Nov 25, 2008)

by the way here is my ppp.conf file 

default:
  #set log Phase Chat LCP IPCP CCP tun command
  set ifaddr 10.0.0.1/0 10.0.0.2/0
  set device PPPoE:vr0
  set authname USERNAME
  set authkey PASS
  set dial
  set login
  add default HISADDR

I wrote all in the default so I do not need to specify the ISP or whatever name is chosen if I want to start the connection manually, I only write ppp -ddial


----------



## SirDice (Nov 26, 2008)

Oh.. Wait.. I think I found something:
http://seclists.org/nmap-dev/2006/q3/0108.html

It is a rather old post but it looks like the same issue.

Have you tried nmap with the -e switch?


----------



## Makc666 (Mar 24, 2011)

I have jail in

```
FreeBSD 8.1-RELEASE-p1 #0: Wed Nov 17 16:01:50 MSK 2010
```

When I try to start inside jail:


```
#/usr/local/bin/nmap -sS -p 21,80,139 -v -PE -n  8.8.8.0/24               

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-24 17:34 MSK
Warning: Unable to open interface em0 -- skipping it.
Warning: Unable to open interface em0 -- skipping it.
nexthost: failed to determine route to 8.8.8.0
QUITTING!
```


```
#/usr/local/bin/nmap --iflist                              

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-24 17:35 MSK
Warning: Unable to open interface em0 -- skipping it.
Warning: Unable to open interface em0 -- skipping it.
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
```


```
sysctl -a | grep jail                         
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.param.linux.oss_version: 0
security.jail.param.linux.osrelease: 65
security.jail.param.linux.osname: 65
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0
```

I have looked many pages found in Google, most of the are old.

As I remember under FreeBSD 7.2 there was no any problem.

What I have to do?


----------



## SirDice (Mar 24, 2011)

Did you build nmap inside the jail too? Was allow_raw_sockets set at that time?


----------



## Makc666 (Mar 25, 2011)

SirDice said:
			
		

> Did you build nmap inside the jail too? Was allow_raw_sockets set at that time?



I did build nmap inside the jail.

allow_raw_sockets was even before the jail was made.

Some more information.

I also have:

```
:~:uname -v
FreeBSD 7.2-RELEASE-p6 #0: Tue Feb 16 20:35:17 MSK 2010
:~:
```

And its jails have the same problem.

```
:/:/usr/local/bin/nmap --iflist

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-25 10:17 UTC
Warning: Unable to open interface em3 -- skipping it.
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
:/:
```

I have tried to build nmap in the main machine root.
There nmap works.

The content of nmap file build in in the main machine root and inside jail are the same.


----------

