Nmap Development mailing list archives
4.22SOC6 Crash With Connect() Scan
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 13 Sep 2007 17:37:24 +0100 (BST)
Hi Everyone, I finally got around to testing the new 4.22SOC6 win32 binary (using the zip file) and spotted that it crashed when I asked it to perform a Connect() Scan. I was running Vista Ultimate Edition x86 using the laptop's built in Broadcom NetXtreme 57xx Gigabit Controller. The built in wireless card had been disabled. I also had a couple of VMWare network adapters. I'm repeatedly getting: Problem signature: Problem Event Name: BEX Application Name: nmap.exe Application Version: 4.22.0.6 Application Timestamp: 46d5355b Fault Module Name: nmap.exe Fault Module Version: 4.22.0.6 Fault Module Timestamp: 46d5355b Exception Offset: 000b4918 Exception Code: c000000d Exception Data: 00000000 OS Version: 6.0.6000.2.0.0.256.1 Locale ID: 2057 Additional Information 1: 28a5 Additional Information 2: fb30009229d99db816b6ecae13f38e8d Additional Information 3: 640f Additional Information 4: 6e80f61cc1fbdbdc088f1fa9a06d51ff C:\Users\Robert>nmap.exe xxxx.xxxx.co.uk -P0 -sT -vv -debug -packet_trace Winpcap present, dynamic linked to: WinPcap version 4.0.1 (packet.dll version 4. 0.0.901), based on libpcap version 0.9.5 Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-13 17:04 GMT Daylight Time Warning: File ./nmap-services exists, but Nmap is using C:\tools\win32\nmap-4.22 SOC6\nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- mass_rdns: Using DNS server xxx.xxx.x.x mass_rdns: Using DNS server xxx.xx.xxx.xx mass_rdns: Using DNS server xxx.xx.xxx.xx NSOCK (0.1660s) msevent_new (IOD #1) (EID #8) NSOCK (0.1660s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8 NSOCK (0.1660s) msevent_new (IOD #1) (EID #18) NSOCK (0.1660s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 18 NSOCK (0.2070s) msevent_new (IOD #2) (EID #24) NSOCK (0.2070s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24 NSOCK (0.2070s) msevent_new (IOD #2) (EID #34) NSOCK (0.2070s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 34 NSOCK (0.2130s) msevent_new (IOD #3) (EID #40) NSOCK (0.2130s) UDP connection requested to xxx.xxx.x.x:53 (IOD #3) EID 40 NSOCK (0.2130s) msevent_new (IOD #3) (EID #50) NSOCK (0.2130s) Read request from IOD #3 [xxx.xxx.x.x:53] (timeout: -1ms) EID 50 Initiating Parallel DNS resolution of 1 host. at 16:50 NSOCK (0.2130s) msevent_new (IOD #1) (EID #59) NSOCK (0.2130s) Write request for 44 bytes to IOD #1 EID 59 [xxx.xx.xxx.xx:53]: .............xxx.xxx.xxx.xxx.in-addr.arpa..... NSOCK (0.2220s) nsock_loop() started (timeout=500ms). 7 events pending NSOCK (0.2220s) wait_for_events NSOCK (0.2220s) PCAP read_on_nonselect NSOCK (0.2220s) PCAP END read_on_nonselect NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 40 [xxx.xxx.x.x:53] NSOCK (0.2250s) msevent_delete (IOD #3) (EID #40) NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53] NSOCK (0.2250s) msevent_delete (IOD #2) (EID #24) NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53] NSOCK (0.2250s) msevent_delete (IOD #1) (EID #8) NSOCK (0.2250s) Callback: WRITE SUCCESS for EID 59 [xxx.xx.xxx.xx:53] NSOCK (0.2250s) msevent_delete (IOD #1) (EID #59) NSOCK (0.2340s) wait_for_events NSOCK (0.2340s) PCAP read_on_nonselect NSOCK (0.2340s) PCAP END read_on_nonselect NSOCK (0.2400s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (138 bytes) NSOCK (0.2400s) msevent_new (IOD #1) (EID #66) NSOCK (0.2400s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 66 NSOCK (0.2400s) msevent_delete (IOD #1) (EID #66) NSOCK (0.2400s) msevent_delete (IOD #2) (EID #34) NSOCK (0.2400s) msevent_delete (IOD #3) (EID #50) mass_rdns: 0.08s 0/1 [#: 3, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] NSOCK (0.2400s) msevent_delete (IOD #1) (EID #18) Completed Parallel DNS resolution of 1 host. at 16:50, 0.03s elapsed DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect() Scan at 16:50 Scanning xxxx.xxxx.xxxx.net (xx.xxx.xxx.xx) [1705 ports] CONN (0.2540s) TCP localhost > xx.xxx.xxx.xx:113 => Unknown error CONN (0.2550s) TCP localhost > xx.xxx.xxx.xx:21 => Unknown error CONN (0.2560s) TCP localhost > xx.xxx.xxx.xx:389 => Unknown error CONN (0.2570s) TCP localhost > xx.xxx.xxx.xx:1723 => Unknown error CONN (0.2580s) TCP localhost > xx.xxx.xxx.xx:25 => Unknown error CONN (2.2550s) TCP localhost > xx.xxx.xxx.xx:25 => Unknown error CONN (2.2580s) TCP localhost > xx.xxx.xxx.xx:1723 => Unknown error CONN (2.2600s) TCP localhost > xx.xxx.xxx.xx:389 => Unknown error CONN (2.2620s) TCP localhost > xx.xxx.xxx.xx:21 => Unknown error CONN (2.2650s) TCP localhost > xx.xxx.xxx.xx:113 => Unknown error CONN (3.2560s) TCP localhost > xx.xxx.xxx.xx:22 => Unknown error CONN (3.2590s) TCP localhost > xx.xxx.xxx.xx:636 => Unknown error CONN (3.2610s) TCP localhost > xx.xxx.xxx.xx:554 => Unknown error CONN (3.2630s) TCP localhost > xx.xxx.xxx.xx:443 => Unknown error CONN (3.2650s) TCP localhost > xx.xxx.xxx.xx:80 => Unknown error CONN (4.2570s) TCP localhost > xx.xxx.xxx.xx:22 => Unknown error CONN (4.2600s) TCP localhost > xx.xxx.xxx.xx:636 => Unknown error CONN (4.2630s) TCP localhost > xx.xxx.xxx.xx:554 => Unknown error CONN (4.2650s) TCP localhost > xx.xxx.xxx.xx:443 => Unknown error CONN (4.2680s) TCP localhost > xx.xxx.xxx.xx:80 => Unknown error CONN (5.2580s) TCP localhost > xx.xxx.xxx.xx:23 => Unknown error CONN (5.2610s) TCP localhost > xx.xxx.xxx.xx:53 => Unknown error CONN (5.2640s) TCP localhost > xx.xxx.xxx.xx:3389 => Unknown error CONN (5.2670s) TCP localhost > xx.xxx.xxx.xx:256 => Unknown error CONN (5.2690s) TCP localhost > xx.xxx.xxx.xx:61439 => Unknown error Running the exact same command with nmap 4.11, 4.21-A1, 4.22SOC2, 4.22SOC3, 4.22SOC5 appears to work fine. This seems to have started with 4.22SOC6. I decided to try it from a Windows 2003 SP2 Enterprise Edition x86 machine and I saw a similar crash: The exception unknown software exception (0xc000000d) occurred in the application at location 0x004b4918. C:\Documents and Settings\Robert\Desktop\nmap-4.22SOC6>nmap -P0 -vv -sT xxx.xxx.xxx.xxx -debug -packet_trace Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll version 3, 1 , 0, 27), based on libpcap version 0.9[.x] Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-13 17:20 GMT Daylight Time Warning: File ./nmap-services exists, but Nmap is using C:\Documents and Setting s\Robert\Desktop\nmap-4.22SOC6\nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in yo ur local directory (may affect the other data files too). --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- mass_rdns: Using DNS server xxx.xxx.xxx.xxx mass_rdns: Using DNS server xxx.xxx.xxx.xxx NSOCK (0.1090s) msevent_new (IOD #1) (EID #8) NSOCK (0.1090s) UDP connection requested to xxx.xxx.xxx.xxx:53 (IOD #1) EID 8 NSOCK (0.1090s) msevent_new (IOD #1) (EID #18) NSOCK (0.1090s) Read request from IOD #1 [xxx.xxx.xxx.xxx:53] (timeout: -1ms) EID 18 NSOCK (0.1090s) msevent_new (IOD #2) (EID #24) NSOCK (0.1090s) UDP connection requested to xxx.xxx.xxx.xxx:53 (IOD #2) EID 24 NSOCK (0.1090s) msevent_new (IOD #2) (EID #34) NSOCK (0.1090s) Read request from IOD #2 [xxx.xxx.xxx.xxx:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution of 1 host. at 17:20 NSOCK (0.1090s) msevent_new (IOD #1) (EID #43) NSOCK (0.1090s) Write request for 44 bytes to IOD #1 EID 43 [xxx.xxx.xxx.xxx:53]: ... ..........xxx.xxx.xxx.xxx.in-addr.arpa..... NSOCK (0.1250s) nsock_loop() started (timeout=500ms). 5 events pending NSOCK (0.1250s) wait_for_events NSOCK (0.1250s) PCAP read_on_nonselect NSOCK (0.1250s) PCAP END read_on_nonselect NSOCK (0.1250s) Callback: CONNECT SUCCESS for EID 24 [xxx.xxx.xxx.xxx:53] NSOCK (0.1250s) msevent_delete (IOD #2) (EID #24) NSOCK (0.1250s) Callback: CONNECT SUCCESS for EID 8 [xxx.xxx.xxx.xxx:53] NSOCK (0.1250s) msevent_delete (IOD #1) (EID #8) NSOCK (0.1250s) Callback: WRITE SUCCESS for EID 43 [xxx.xxx.xxx.xxx:53] NSOCK (0.1250s) msevent_delete (IOD #1) (EID #43) NSOCK (0.1250s) wait_for_events NSOCK (0.1250s) PCAP read_on_nonselect NSOCK (0.1250s) PCAP END read_on_nonselect NSOCK (0.2500s) Callback: READ SUCCESS for EID 18 [xxx.xxx.xxx.xxx:53] (120 bytes) NSOCK (0.2500s) msevent_new (IOD #1) (EID #50) NSOCK (0.2500s) Read request from IOD #1 [xxx.xxx.xxx.xxx:53] (timeout: -1ms) EID 50 NSOCK (0.2500s) msevent_delete (IOD #1) (EID #50) NSOCK (0.2500s) msevent_delete (IOD #2) (EID #34) mass_rdns: 0.14s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] NSOCK (0.2500s) msevent_delete (IOD #1) (EID #18) Completed Parallel DNS resolution of 1 host. at 17:20, 0.14s elapsed DNS resolution of 1 IPs took 0.16s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect() Scan at 17:20 Scanning xxx.xxx.xxx.xxx [1705 ports] CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:636 => Unknown error CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:256 => Unknown error CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:23 => Unknown error CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:1723 => Unknown error CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:3389 => Unknown error Can anyone else replicate this? Anyone have any ideas why it's happening? It sounds to me like a recently introduced bug in nmap, I suspect we can rule out WinPcap (I'm still using 3.1 on the 2003 box, but using 4.0.1 on Vista) and the OS. Cheers, Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- 4.22SOC6 Crash With Connect() Scan Rob Nicholls (Sep 13)
- Re: 4.22SOC6 Crash With Connect() Scan David Fifield (Sep 13)
- Re: 4.22SOC6 Crash With Connect() Scan majek04 (Sep 13)
- Re: 4.22SOC6 Crash With Connect() Scan David Fifield (Sep 14)
- Re: 4.22SOC6 Crash With Connect() Scan majek04 (Sep 14)
- Re: 4.22SOC6 Crash With Connect() Scan majek04 (Sep 13)
- Re: 4.22SOC6 Crash With Connect() Scan David Fifield (Sep 13)