Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap unable to find routes in FreeBSD jails

From: David Fifield <david () bamsoftware com>
Date: Thu, 27 Sep 2012 01:32:54 -0700
On Mon, Apr 30, 2012 at 03:39:38PM -0700, David Thiel wrote:

Hello list,

I'm running a couple of hosts that use multiple FreeBSD jails 
(9.0-RELEASE), but noticed recently that I'm unable to perform any scans 
from within them, because nmap is unable to determine its routes.

I've ensured that security.jail.allow_raw_sockets is set, and I've even 
temporarily exposed /dev/mem and /dev/kmem along with /dev/bpf*, to see 
if that helped things, but to no avail. netstat -rn works just fine, so 
I'm not sure what's preventing nmap from going. Any troubleshooting help 
would be appreciated; I've included some basic info below.

# nmap insecure.org

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-30 20:38 UTC
nexthost: failed to determine route to insecure.org (74.207.254.18)
QUITTING!

# nmap -dd -iflist

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-30 19:51 UTC
************************INTERFACES************************
DEV    (SHORT)  IP/MASK           TYPE     UP MTU   MAC
usbus0 (usbus0) (null)/0          other    up 0
em0    (em0)    206.125.172.20/32 ethernet up 1500  52:54:00:27:27:81
lo0    (lo0)    (null)/0          loopback up 16384
lo1    (lo1)    (null)/0          loopback up 16384

ROUTES: NONE FOUND(!)
Reason: 


I'm not sure what the problem is. Your ktrace shows this sequence:

 37625 nmap     CALL  socket(PF_ROUTE,SOCK_RAW,0x2)
 37625 nmap     RET   socket 4
 37625 nmap     CALL  __sysctl(0x7fffffffc920,0x6,0,0x7fffffffc938,0,0)
 37625 nmap     SCTL  "net.routetable.0.0.1.0"
 37625 nmap     RET   __sysctl 0
 37625 nmap     CALL  __sysctl(0x7fffffffc920,0x6,0x802433140,0x7fffffffc938,0,0)
 37625 nmap     SCTL  "net.routetable.0.0.1.0"
 37625 nmap     RET   __sysctl 0
 37625 nmap     CALL  close(0x4)
 37625 nmap     RET   close 0
 37625 nmap     CALL  write(0x1,0x80243c000,0x16)
 37625 nmap     GIO   fd 1 wrote 22 bytes
       "ROUTES: NONE FOUND(!)
       "

which corresponds to this code in libdnet-stripped/src/route-bsd.c.

#ifdef HAVE_SYS_SYSCTL_H
        int mib[6] = { CTL_NET, PF_ROUTE, 0, 0 /* XXX */, NET_RT_DUMP, 0 };
        size_t len;

        if (sysctl(mib, 6, NULL, &len, NULL, 0) < 0)
                return (-1);

        if (len == 0)
                return (0);

        if ((buf = malloc(len)) == NULL)
                return (-1);

        if (sysctl(mib, 6, buf, &len, NULL, 0) < 0) {
                free(buf);
                return (-1);
        }
        lim = buf + len;
        next = buf;
#elif defined(HAVE_GETKERNINFO)

The syscalls appear to succeed, so it might be a problem later on in
route_loop, in the loop with the comment
        /* This loop assumes that RTA_DST, RTA_GATEWAY, and RTA_NETMASK have the
         * values, 1, 2, and 4 respectively. Cf. Unix Network Programming,
         * p. 494, function get_rtaddrs. */
You might try attaching gdb the route_loop function and see if any of
those "continues" is preventing routes from being added to Nmap's list.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: