我已成功从 Windows 笔记本电脑连接到 VPN,我想查看名为“Boston”的工作组中有哪些主机正在运行。目前,该工作组的 DNS 未配置为列出大多数计算机名称,因此我只是尝试 IP 地址。当我输入时,ipconfig我看到以下内容(以及其他几个界面):
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : Boston.local
Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55
IPv4 Address. . . . . . . . . . . : 10.1.1.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
我大胆猜测,“以太网 2” 指的是接口 eth2,因此我在 Zenmap 中尝试了以下操作
nmap -sn -T4 -e eth2 10.1.1.0/24
但我得到的只是如下的内容:
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 15:12 Mountain Daylight Time
setup_target: failed to determine route to 10.1.1.0
setup_target: failed to determine route to 10.1.1.1
setup_target: failed to determine route to 10.1.1.2
setup_target: failed to determine route to 10.1.1.3
适用于所有地址,包括我自己的地址。当我尝试 10.0.1.0/24 和 10.1.0.0/24 时,尽管这三个子网都在我的路由中,但我也得到了相同的结果
route PRINT
===========================================================================
Interface List
55...00 60 73 3b 9d 0b ......SonicWALL Virtual NIC
12...28 f1 0e 09 37 a6 ......Killer e2400 Gigabit Ethernet Controller
11...e6 b3 18 67 40 17 ......Microsoft Wi-Fi Direct Virtual Adapter #2
8...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
16...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
17...e4 b3 18 67 40 17 ......Intel(R) Dual Band Wireless-AC 8260
6...e4 b3 18 67 40 1b ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.240 35
10.0.1.0 255.255.255.0 On-link 10.1.1.132 2
10.0.1.6 255.255.255.255 On-link 10.1.1.132 2
10.0.1.255 255.255.255.255 On-link 10.1.1.132 257
10.1.0.0 255.255.255.0 On-link 10.1.1.132 2
10.1.0.255 255.255.255.255 On-link 10.1.1.132 257
10.1.1.0 255.255.255.0 On-link 10.1.1.132 257
10.1.1.132 255.255.255.255 On-link 10.1.1.132 257
10.1.1.255 255.255.255.255 On-link 10.1.1.132 257
10.5.0.0 255.255.255.0 On-link 10.1.1.132 2
10.5.0.255 255.255.255.255 On-link 10.1.1.132 257
10.8.0.0 255.255.255.0 On-link 10.1.1.132 2
10.8.0.255 255.255.255.255 On-link 10.1.1.132 257
10.8.1.0 255.255.255.0 On-link 10.1.1.132 2
10.8.1.255 255.255.255.255 On-link 10.1.1.132 257
70.91.168.73 255.255.255.255 192.168.1.1 192.168.1.240 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.16.0.0 255.255.255.0 On-link 10.1.1.132 2
172.16.0.255 255.255.255.255 On-link 10.1.1.132 257
172.16.1.0 255.255.255.0 On-link 10.1.1.132 2
172.16.1.255 255.255.255.255 On-link 10.1.1.132 257
172.16.31.0 255.255.255.0 On-link 10.1.1.132 2
172.16.31.255 255.255.255.255 On-link 10.1.1.132 257
192.168.1.0 255.255.255.0 On-link 192.168.1.240 291
192.168.1.240 255.255.255.255 On-link 192.168.1.240 291
192.168.1.255 255.255.255.255 On-link 192.168.1.240 291
192.168.47.0 255.255.255.0 On-link 192.168.47.1 291
192.168.47.1 255.255.255.255 On-link 192.168.47.1 291
192.168.47.255 255.255.255.255 On-link 192.168.47.1 291
192.168.80.0 255.255.255.0 On-link 192.168.80.1 291
192.168.80.1 255.255.255.255 On-link 192.168.80.1 291
192.168.80.255 255.255.255.255 On-link 192.168.80.1 291
192.168.100.0 255.255.255.0 On-link 10.1.1.132 2
192.168.100.255 255.255.255.255 On-link 10.1.1.132 257
192.168.101.0 255.255.255.0 On-link 10.1.1.132 2
192.168.101.255 255.255.255.255 On-link 10.1.1.132 257
192.168.150.0 255.255.255.0 On-link 10.1.1.132 2
192.168.150.255 255.255.255.255 On-link 10.1.1.132 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.47.1 291
224.0.0.0 240.0.0.0 On-link 192.168.80.1 291
224.0.0.0 240.0.0.0 On-link 192.168.1.240 291
224.0.0.0 240.0.0.0 On-link 10.1.1.132 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.47.1 291
255.255.255.255 255.255.255.255 On-link 192.168.80.1 291
255.255.255.255 255.255.255.255 On-link 192.168.1.240 291
255.255.255.255 255.255.255.255 On-link 10.1.1.132 257
===========================================================================
Persistent Routes:
None
使用 eth1 可得到相同的结果,使用 eth0 可得到
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-20 16:27 Mountain Daylight Time
dnet: Failed to open device eth0
QUITTING!
更新 #1
我完全被迷惑了——我刚刚运行nmap --iflist并得到了以下输出,但它仍然抱怨 eth0(无论我是否用 -e 指定它)
Starting Nmap 7.12 ( https://nmap.org ) at 2018-09-21 13:21 Mountain Daylight Time
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
eth0 (eth0) fe80::2c21:fcc4:3359:e748/64 ethernet up 1418 00:60:73:3B:9D:0B
eth0 (eth0) 10.1.1.132/24 ethernet up 1418 00:60:73:3B:9D:0B
eth1 (eth1) fe80::91aa:d87e:1a49:4d58/64 ethernet down 1500 28:F1:0E:09:37:A6
eth1 (eth1) 169.254.77.88/4 ethernet down 1500 28:F1:0E:09:37:A6
eth2 (eth2) fe80::956:1f96:1f35:8785/64 ethernet down 1500 E6:B3:18:67:40:17
eth2 (eth2) 169.254.135.133/4 ethernet down 1500 E6:B3:18:67:40:17
eth3 (eth3) fe80::350a:77b7:3bc8:3e99/64 ethernet up 1500 00:50:56:C0:00:01
eth3 (eth3) 192.168.47.1/24 ethernet up 1500 00:50:56:C0:00:01
eth4 (eth4) fe80::1c8e:b518:9d75:dc50/64 ethernet up 1500 00:50:56:C0:00:08
eth4 (eth4) 192.168.80.1/24 ethernet up 1500 00:50:56:C0:00:08
eth5 (eth5) fe80::11db:9e0a:4913:3823/64 ethernet up 1500 E4:B3:18:67:40:17
eth5 (eth5) 192.168.1.240/24 ethernet up 1500 E4:B3:18:67:40:17
eth6 (eth6) fe80::1560:3bf9:44e8:c2d5/64 ethernet down 1500 E4:B3:18:67:40:1B
eth6 (eth6) 169.254.194.213/4 ethernet down 1500 E4:B3:18:67:40:1B
lo0 (lo0) ::1/128 loopback up -1
lo0 (lo0) 127.0.0.1/8 loopback up -1
DEV WINDEVICE
eth0 <none>
eth0 <none>
eth1 \Device\NPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth1 \Device\NPF_{8A8B5341-C773-4892-8D8F-C1DC84272FD6}
eth2 \Device\NPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth2 \Device\NPF_{8A1E85B7-D29F-4346-B4ED-E52F8558DFF3}
eth3 \Device\NPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth3 \Device\NPF_{6771C502-791A-42C4-8769-1835C8194B3E}
eth4 \Device\NPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth4 \Device\NPF_{B5851DDD-8079-43BB-A5EB-3249ABF478E7}
eth5 \Device\NPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth5 \Device\NPF_{BBD3B26B-B578-4E49-82C0-132666231D08}
eth6 \Device\NPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
eth6 \Device\NPF_{5E60BD83-E486-4881-A7E1-79F498E06387}
lo0 <none>
lo0 <none>
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
10.0.1.6/32 eth0 2
70.91.168.73/32 eth5 35 192.168.1.1
192.168.150.255/32 eth0 257
255.255.255.255/32 eth0 257
10.8.0.255/32 eth0 257
10.1.0.255/32 eth0 257
172.16.0.255/32 eth0 257
10.1.1.132/32 eth0 257
10.1.1.255/32 eth0 257
192.168.101.255/32 eth0 257
10.5.0.255/32 eth0 257
10.8.1.255/32 eth0 257
172.16.1.255/32 eth0 257
192.168.100.255/32 eth0 257
172.16.31.255/32 eth0 257
10.0.1.255/32 eth0 257
255.255.255.255/32 eth1 261
255.255.255.255/32 eth2 281
255.255.255.255/32 eth3 291
192.168.47.255/32 eth3 291
255.255.255.255/32 eth5 291
192.168.80.1/32 eth4 291
255.255.255.255/32 eth4 291
192.168.80.255/32 eth4 291
192.168.47.1/32 eth3 291
192.168.1.255/32 eth5 291
192.168.1.240/32 eth5 291
255.255.255.255/32 eth6 321
255.255.255.255/32 lo0 331
127.255.255.255/32 lo0 331
127.0.0.1/32 lo0 331
10.1.0.0/24 eth0 2
10.0.1.0/24 eth0 2
172.16.31.0/24 eth0 2
172.16.0.0/24 eth0 2
10.8.1.0/24 eth0 2
10.8.0.0/24 eth0 2
10.5.0.0/24 eth0 2
172.16.1.0/24 eth0 2
192.168.101.0/24 eth0 2
192.168.100.0/24 eth0 2
192.168.150.0/24 eth0 2
10.1.1.0/24 eth0 257
192.168.47.0/24 eth3 291
192.168.1.0/24 eth5 291
192.168.80.0/24 eth4 291
127.0.0.0/8 lo0 331
224.0.0.0/4 eth0 257
224.0.0.0/4 eth1 261
224.0.0.0/4 eth2 281
224.0.0.0/4 eth5 291
224.0.0.0/4 eth3 291
224.0.0.0/4 eth4 291
224.0.0.0/4 eth6 321
224.0.0.0/4 lo0 331
0.0.0.0/0 eth5 35 192.168.1.1
fe80::91aa:d87e:1a49:4d58/128 eth1 261
fe80::956:1f96:1f35:8785/128 eth2 281
fe80::1c8e:b518:9d75:dc50/128 eth4 291
fe80::350a:77b7:3bc8:3e99/128 eth3 291
fe80::2c21:fcc4:3359:e748/128 eth0 291
fe80::11db:9e0a:4913:3823/128 eth5 291
fe80::1560:3bf9:44e8:c2d5/128 eth6 321
::1/128 lo0 331
fe80::/64 eth1 261
fe80::/64 eth2 281
fe80::/64 eth0 291
fe80::/64 eth5 291
fe80::/64 eth4 291
fe80::/64 eth3 291
fe80::/64 eth6 321
ff00::/8 eth1 261
ff00::/8 eth2 281
ff00::/8 eth0 291
ff00::/8 eth5 291
ff00::/8 eth4 291
ff00::/8 eth3 291
ff00::/8 eth6 321
ff00::/8 lo0 331
更新 #2
仔细阅读后这次讨论关于界面命名混乱的问题,我已下载并运行最新的 zenmap 安装程序 7.70 版。现在的输出nmap -sn -T4 10.0.1.0/24产生以下内容
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-21 14:44 Mountain Daylight Time
Nmap scan report for 10.0.1.0
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.1
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.2
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
...[snip]...
Nmap scan report for 10.0.1.254
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap scan report for 10.0.1.255
Host is up (0.00s latency).
MAC Address: 00:60:73:3B:9D:0C (Redcreek Communications)
Nmap done: 256 IP addresses (256 hosts up) scanned in 17.56 seconds
所以我又近了一步,但我知道子网中没有 256 个主机,并且注意到 MAC 地址始终相同(并且恰好是输出中列出的 MAC 地址)ipconfig /all
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : Boston.local
Description . . . . . . . . . . . : SonicWALL Virtual NIC
Physical Address. . . . . . . . . : 00-60-73-3B-9D-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2c21:fcc4:3359:e748%55(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.132(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, September 20, 2018 2:17:55 PM
Lease Expires . . . . . . . . . . : Saturday, September 22, 2018 12:48:30 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 922771571
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-EE-C8-89-28-F1-0E-09-37-A6
DNS Servers . . . . . . . . . . . : 10.0.1.6
204.130.255.3
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Enabled
答案1
在 Windows 上,Nmap 必须发送原始以太网帧才能执行其特殊功能,如“隐形”SYN 扫描、OS 指纹识别和跟踪路由。这意味着它只能使用能够处理原始以太网帧的网络适配器。如果您的 VPN 使用其他设备,Nmap 将无法使用这些方法。PPTP 隧道就是一个已知的坏例子。
但这并不意味着您不能使用 Nmap!Nmap 还具有许多不使用原始以太网帧的功能,而是使用适用于几乎所有网络类型的本机套接字操作。端口扫描、反向 DNS、服务版本检测和 NSE 脚本都可以以这种方式工作。使用这些的一种简单方法是添加选项,因为它告诉 Nmap 使用基本函数调用来执行任何它可以执行的操作。这通常最终与用于主机发现和(TCP Connect)用于端口扫描技术--unprivileged相同。如果您尝试任何类似或它无法支持的操作,它将产生错误。-PS80,443-sT-O--traceroute
但在你限制自己使用这些功能之前,请确保你拥有Npcap 的最新版本(回答此问题时版本为 0.99-r7)并npcap在启动 VPN 后重新启动了服务,以便它可以观察并连接到 VPN 网络适配器(在管理员命令提示符下,运行:net stop npcapthen net start npcap)。这可能会让一切顺利进行。