Nmap Experience/Advice

Anyone on here NMAP through a tailscale subnet router? Im sure I will figure it out, but I figured I’de ask on here as well. I have kali running tailscale with accept routes flag, i have another windows box running as a subnet router.

The odd behavior is when i try to interact with the subnet, it appears everybox and every port is open.

If I missed a post / faq feel free to tell me to RTFM and point me in the right direction, otherwise any insight on why this is happening?

What does “nmap through Tailscale” mean to you? Can you paste the specific nmap invocation you’re using? There’s a lot of variance here, and “things give up and show as everything open” is a known issue for some network scan types…

1 Like

It’s working for me:

jay@testmy:~$ nmap -sT 192.168.250.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-04 18:39 UTC
Nmap scan report for 192.168.250.1
Host is up (0.063s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
80/tcp   open     http
443/tcp  open     https
5431/tcp open     park-agent

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

What type of host are you scanning? What type of nmap scan?

Thanks Jay, I’ll run it on a few different networks to see what happens , may be an issue with the target network it seems and not tailscale.

After chatting with Jay about this, I gave it a try with a Windows subnet router and I see the same behavior that you observed.

On Linux, we use the built-in IP forwarding and NAT features to offer the subnet router feature. On Windows, instead we use netstack to accept TCP connections in the Tailscale client and then the Tailscale client makes an outgoing connection using normal Windows networking. Due to the particulars in how that works, it means that nmap sees the Tailscale client accept the connection on every port. It does this before it can detect that the port is actually closed on the final destination. If the connection to the final device isn’t able to go through, then eventually the connection to the Tailscale client on the subnet relay is automatically closed.

1 Like

copy that, thank you for the info! linux it is!